Re: [SQU] Security issue

From: Miquel van Smoorenburg <list-squid@dont-contact.us>
Date: Sun, 21 Jan 2001 12:32:36 +0000 (UTC)

In article <001e01c08364$8c6a7850$0100000a@server>,
Awie <awie@eksadata.com> wrote:
>02:08:20 aaa.bbb.ccc.ddd GET /msadc/../../../../../../winnt/system32/cmd.exe 200
>07:19:45 24.142.102.150 GET /msadc/../../../../../../winnt/system32/cmd.exe 200
>10:23:28 24.142.102.150 GET /scripts/../../winnt/system32/cmd.exe 200
>10:40:43 24.142.102.150 GET /scripts/../../inetpub/Jelek.exe 200

This doesn't mean that someone is running cmd.exe on your system.
It's simply someone who is trying to get get the URL
/scripts/../../winnt/system32/cmd.exe from a remote server
through your proxy - a "normal" access just like any other.

>10:40:51 aaa.bbb.ccc.ddd GET /scripts/../../winnt/system32/cmd.exe 200
>10:40:56 24.142.102.150 GET /scripts/../../inetpub/Jelek.exe 502
>10:53:24 202.57.0.180 GET
>/scripts/test.bat"+"+&+dir+c:/+/..\..\..\..\winnt/system32/route.exe 500

It looks like that person is scanning remote websites for vulnerable
CGIs. It doesn't have anything to do with running stuff on your server.

>I don't know why and who run CMD.EXE from our PROXY. I am really confuse
>and surprise because I am 100% sure that RH 6.2 and Squid don't have
>file CMD.EXE.
>Would someone tell me why CMD.EXE run in our PROXY? How to secure our
>PROXY? Is my action (change password) correct?

You're confused - you're proxy is simply proxying HTTP requests
that happen to have the word "cmd.exe" in the URL.

Mike.

-- 
The From: and Reply-To: addresses are internal news2mail gateway addresses.
Reply to the list or to miquels@traveler.cistron-office.nl (Miquel van Smoorenburg)
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Jan 21 2001 - 05:34:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:30 MST