[CLUE-Tech] Is someone trying to hack me?
David Anselmi
anselmi at americanisp.net
Thu Nov 14 08:51:20 MST 2002
Jason S. Friedman wrote:
> What are these in my apache server logs?
Google would be happy to tell you much, much more.
>
> 63.231.245.155 - - [13/Nov/2002:22:10:21 +0000] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
You can see that this is a request to run the Windows shell. The winnt
directory is outside the web server's root so this attack uses .. to
traverse up the tree. Normally the request would be refused because the
web server can't cd above its root, but this attack uses unicode
characters in the path (which are URL encoded to the %25%35%63 you see)
and IIS doesn't do the right thing with unicode paths.
The other hits you see are variations on the theme.
The real question is what will you see when someone uses a successful
apache exploit on you.
Dave
More information about the clue-tech
mailing list