[Zope] msadc exploit?
Curtis Maloney
curtis@cardgate.net
Tue, 13 Feb 2001 10:33:25 +1100
On Monday 12 February 2001 18:06, Graham Chiu wrote:
> I received multiple error reports from my Zope server
> tonight, about an object not found at
>
http://NETSERVER:8080/msadc/..=C1%8s../..=C1%8s../..=C1%8s../winnt/system=
32/cmd.exe
>
> being called from ip address: 61.156.8.19
>
> This is very odd as my web server is at port 80, and mapped
> by NAT to 8080.
>
> I presume that this is some sort of attack on my webserver -
> what are they trying to exploit?
>
This is an exploit against IIS (probably 4.0) which can potentialy run a=20
program. The path has to be exact, and can be foiled by installing IIS i=
n a=20
non-default path (higher or deeper in the heirarchy).
It works because of poor handling of 'long' characters, afaik.
But since you're not running IIS...
As for the address... not sure... maybe the server is logging what IT thi=
nks=20
the port is, and thus using the post-NAT value.
> --
> Graham Chiu
Have a better one,
Curtis Maloney.