> I've included a link to a tcpdump taken that shows a standard IIS
> directory-traversal attack. I was looking over the packets and noticed a
> reference to www.google.com. Could someone take a look, and let me know
> what this is being used for?
>
> http://12.208.102.165/attack3.dump
> atack3.dump=1.6kb

Okay. I'm going to make a guess here.

The GET string, excerpted below, indicates that it is using HTTP/1.1:
GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\
cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1

(Pretty nice URL by the way.)

In order to make a valid HTTP/1.1 request, you have to specify a host name
(I think the proper terminology is 'host header') for the request. I'm
guessing that whoever devised this tool decided to just throw in
'www.google.com' as a host header. Under IIS, if you specify a host name
that is not configured, it falls back on the first virtual host that is
configured for the IP. So by specifying 'www.google.com', they pretty
much guarantee that they will fall to the first host -- and on a default
IIS install, this will be the default web site which lives under
c:\inetpub\wwwroot

So this is my armchair one minute guess-analysis. Hope it helps somewhat.

Sincerely,

Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technology)

------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
----

[ reply ]