Home
Topics
Microsoft Enterprise IT Management
Windows Operating System Management
Can you tell me how I was attacked and suggest a remedy?

Can you tell me how I was attacked and suggest a remedy?

In the past, I have applied the patches to my NT4 IIS 4.0 system to address the Web folder traversal/unicode problems (also CodeRed). If I look at my IIS logs, I see plenty of attempts to get to WinNTsystem32cmd.exe but all get turned down.

Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:

/_vti_cnf/../../../../../../../winnt/system32/cmd.exe/c:dir
(I'm not sure if I have exactly the right number of /.. in there).

My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.

Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:

http://yoursite/cgi-bin/someprogram.exe?./../../../winnt/system32/cmd.ex e

However, no harm could be done unless someprogram.exe knew how to process the portion of the request after the command name--which may be the case, if the attacker was attempting to exploit a known vulnerability.

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in December 2001

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Back to top

More from Related TechTarget Sites

Windows Server
Exchange
Enterprise Desktop
Cloud computing
SQL Server
IT Channel

Windows Server
- Microsoft delivers patch updates for Windows Server 2012, Windows 8
  
  Microsoft delivered two critical and eight important bulletins in May's Patch Tuesday release, fixing issues in Windows Server 2012 and Office apps.
- Windows Azure Active Directory steps out of the shadows
  
  As Windows Azure Active Directory moves into general availability, we look at how it can help admins manage user authentication in the cloud.
- Steps to read XML files with PowerShell
  
  Wondering how to get PowerShell to read XML files? Our expert explains a few methods you could use.
Exchange
- Dismounted Exchange 2010 database refuses to mount
  
  A frustrated admin wants to know how to remount his Exchange 2010 database after discovering event ID 5003. One of our experts offers proper guidance.
- Exchange Global Address List updates not replicating to sites
  
  For some reason, an admin's Exchange Global Address List updates are not updating to sites. Our expert has several suggestions to fix the issue.
- Replacing Forefront TMG: Alternate reverse-proxy options for Exchange
  
  With the discontinuation of Forefront TMG, Exchange admins are left wondering what to do moving forward. The available options may surprise you.
Enterprise Desktop
- Finding a prescription for desktop security management at Sharp HealthCare
  
  Desktop security policy must cover the use of mobile devices and the cloud. Sharp HealthCare uses a mix of software for desktop security management.
- Windows 8 tools build on native Windows 7 utilities with new capabilities
  
  New and updated Windows 8 tools can help admins and users. Windows 8 utilities include functions for backing up and restoring systems.
- Why a Windows security scan is not enough to protect your workstations
  
  A traditional Windows security scan may lure IT into complacency about desktop vulnerabilities, so look at four areas to beef up Windows security.
Cloud computing
- Sequestration stymies federal government cloud ambitions
  
  The federal government is under mandates to consolidate data centers and deliver IT as a Service, but sequestration makes this easier said than done.
- VMware charges into public cloud IaaS fray as Dell exits
  
  Dell will discontinue its OpenStack and VMware vCloud-based public cloud offerings as VMware delivers its vCloud IaaS.
- Cloud migration obstacles remain for heavily regulated industries
  
  Financial, government and healthcare industries must overcome data security breaches and regulatory issues for a successful cloud migration.
SQL Server
- Database index design and optimization: Some guidelines
  
  What are the latest tips and tricks for database design and optimization? Check out this tip from Basit Farooq to learn more.
- Adam Machanic talks SQL Saturday
  
  We caught up with Adam Machanic, group leader of the New England SQL Server user group, at SQL Saturday Boston. Find out what he shared with us.
- SQL Server meets database application security
  
  Make sure your SQL Server is secure by studying these general guidelines for secure database applications from SQL Server expert Roman Rehak.
IT Channel
- Citrix Summit 2013: Citrix tells partners how to compete in mobility market
  
  One Citrix Summit 2013 presentation focuses on mobile device management (MDM) and mobile app management (MAM) and competitors' strengths, weaknesses.
- Education IT: Education resellers find business among cost-conscious K-12 schools
  
  Read up on three areas in education IT -- A/V projects, Chromebooks and application integration -- in which VARs are reporting increased business.
- Citrix Summit 2013 Q&A with Tom Flink on mobility, account segmentation, deal registration
  
  At Citrix Summit 2013, channel head Tom Flink talks about the company's plans around mobility, changes to the partner program and high-touch accounts.

All Rights Reserved,Copyright - 2013, TechTarget