Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Security breach

To: "Rick Inzerillo" <[email protected]>, <[email protected]>
Subject: RE: [FW1] Security breach
From: "Adams, Gavin" <[email protected]>
Date: Tue, 5 Jun 2001 12:01:25 -0300
Sender: [email protected]
Thread-index: AcDtzgCeYb/PMawCQvKNTzjrCytgkgAAhp+g
Thread-topic: [FW1] Security breach

The port number you are seeing is the source port of the connection, not
the destination port (which is port 80 in your case). 

The exploit you're seeing is the IIS UNICODE. Unsure of the payload.


--- Gavin Adams
Promisant Ltd.
Bermuda

> -----Original Message-----
> From: Rick Inzerillo [mailto:[email protected]]
> Sent: Monday, June 04, 2001 12:10
> To: [email protected]
> Subject: [FW1] Security breach
> 
> 
> Can anyone advise on how to stop people from somehow
> using http to bypass the security policy and
> connecting to other ports?  I get references in my
> firewall1 log like this:
> 
> "accept"  "http"  "attacker"  "srvr (valid Address)"
> "tcp"  "13"  "50776"
> "accept"  "http"  "attacker"  "srvr (Valid Address)"
> "tcp"  "13"  "50933"
> "accept"  "http"  "attacker"  "srvr (Valid Address)"
> "tcp"  "13"  "50935"
> 
> 
> Rule 13 only allows http.  How are they doing this?
> Any idea?
> 
> the web server that was scanned has entries like this:
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> /c+dir 404 3 604 66 80 -
> (this may be part of sadmind?)
> 
> although im unsure if the web server furnished the
> request, the "404" would seem to indicate not.
> 
> Any help would be appreciated
> 
> Rick
> 
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year!  http://personal.mail.yahoo.com/
> 
> 
>
========================================================================
==
> ======
>      To unsubscribe from this mailing list, please see the
instructions at
>                http://www.checkpoint.com/services/mailing.html
>
========================================================================
==
> ======



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Logs between MNGT and modules
Next by Date: Re: [FW1] IPSO 3.4 available *and* FW-1 4.1 SP4
Previous by thread: [FW1] Security breach
Next by thread: RE: [FW1] Security breach
Index(es):
- Date
- Thread