×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help deciphering a signature context buffer

Unanswered Question
May 30th, 2002
User Badges:

I saw something unusual today in a context buffer for the "IIS .. Execute bug". The beginning was normal but then it got strange. This is the strange part:


"/ping.exe?/c+-t+127.0.0.1+-i+0"


I realize it was setting ping parameters but the packet destination was our off-site corporate website and the source was from my co-worker. He did not go to that site, nor did he ping his own box. Here is the full context buffer:


"/scripts/%c0%af..%c0%af..%c0%af../winnt/system32/ping.exe?/c+-t+127.0.0.1+-i+0 HTTP/1.1"


I was hoping someone could give an explanation for this as I'm stumped.


Thanks, Megan


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mcerha Thu, 05/30/2002 - 07:51
User Badges:
  • Bronze, 100 points or more

Just tried this command under NT, and it is invalid. The -t option tells ping to keep pinging until interrupted by the user. The -i option sets the TTL of the ping packets. In this case 0, which causes the NT ping command to complain of a bad option. Is your coworkers box infected with Nimda or some other scanning worm / virri?

Actions

This Discussion