Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Help deciphering a signature context buffer

I saw something unusual today in a context buffer for the "IIS .. Execute bug". The beginning was normal but then it got strange. This is the strange part:

"/ping.exe?/c+-t+127.0.0.1+-i+0"

I realize it was setting ping parameters but the packet destination was our off-site corporate website and the source was from my co-worker. He did not go to that site, nor did he ping his own box. Here is the full context buffer:

"/scripts/%c0%af..%c0%af..%c0%af../winnt/system32/ping.exe?/c+-t+127.0.0.1+-i+0 HTTP/1.1"

I was hoping someone could give an explanation for this as I'm stumped.

Thanks, Megan

1 REPLY
Bronze

Re: Help deciphering a signature context buffer

Just tried this command under NT, and it is invalid. The -t option tells ping to keep pinging until interrupted by the user. The -i option sets the TTL of the ping packets. In this case 0, which causes the NT ping command to complain of a bad option. Is your coworkers box infected with Nimda or some other scanning worm / virri?

99
Views
0
Helpful
1
Replies
CreatePlease to create content