Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
1
Replies

Help deciphering a signature context buffer

mjuckett
Level 1
Level 1

‎05-30-2002 07:21 AM - edited ‎03-08-2019 10:48 PM

I saw something unusual today in a context buffer for the "IIS .. Execute bug". The beginning was normal but then it got strange. This is the strange part:

"/ping.exe?/c+-t+127.0.0.1+-i+0"

I realize it was setting ping parameters but the packet destination was our off-site corporate website and the source was from my co-worker. He did not go to that site, nor did he ping his own box. Here is the full context buffer:

"/scripts/%c0%af..%c0%af..%c0%af../winnt/system32/ping.exe?/c+-t+127.0.0.1+-i+0 HTTP/1.1"

I was hoping someone could give an explanation for this as I'm stumped.

Thanks, Megan

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎05-30-2002 07:51 AM

Just tried this command under NT, and it is invalid. The -t option tells ping to keep pinging until interrupted by the user. The -i option sets the TTL of the ping packets. In this case 0, which causes the NT ping command to complain of a bad option. Is your coworkers box infected with Nimda or some other scanning worm / virri?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents