Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:
(I'm not sure if I have exactly the right number of /.. in there).
My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.
Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:
However, no harm could be done unless someprogram.exe knew how to
process the portion of the request after the command name--which may be
the case, if the attacker was attempting to exploit a known
This was first published in December 2001