Problem solve Get help with specific problems with your technologies, process and projects.

Can you tell me how I was attacked and suggest a remedy?

In the past, I have applied the patches to my NT4 IIS 4.0 system to address the Web folder traversal/unicode problems (also CodeRed). If I look at my IIS logs, I see plenty of attempts to get to WinNTsystem32cmd.exe but all get turned down.

Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:

(I'm not sure if I have exactly the right number of /.. in there).

My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.

Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:

http://yoursite/cgi-bin/someprogram.exe?./../../../winnt/system32/cmd.ex e

However, no harm could be done unless someprogram.exe knew how to process the portion of the request after the command name--which may be the case, if the attacker was attempting to exploit a known vulnerability.

Dig Deeper on Windows client management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.