On Monday 12 February 2001 18:06, Graham Chiu wrote:
I received multiple error reports from my Zope server tonight, about an object not found at
http://NETSERVER:8080/msadc/..Á%8s../..Á%8s../..Á%8s../winnt/system32/cmd.exe
being called from ip address: 61.156.8.19
This is very odd as my web server is at port 80, and mapped by NAT to 8080.
I presume that this is some sort of attack on my webserver - what are they trying to exploit?
This is an exploit against IIS (probably 4.0) which can potentialy run a program. The path has to be exact, and can be foiled by installing IIS in a non-default path (higher or deeper in the heirarchy). It works because of poor handling of 'long' characters, afaik. But since you're not running IIS... As for the address... not sure... maybe the server is logging what IT thinks the port is, and thus using the post-NAT value.
-- Graham Chiu
Have a better one, Curtis Maloney.