IIS_CGI_Decode_Command_Execution...
what is it actually...my firewall have been giving me this warning...what should i do with this?
Printable View
IIS_CGI_Decode_Command_Execution...
what is it actually...my firewall have been giving me this warning...what should i do with this?
I am sure people over here can help you but you will have to supply some more information.
Like what OS you are running, what firewall gave you the message and what you were doing while this thing occured.
hmmm, well, lets see, IIs is what? oh yea!!! a web server!!!! and CGI is what??? common gateway interface!!!, usually used for things like logging in, now, it could be an error on the server of a site your lookin at, but just to be safe, the next time it happens if it does, look at what your doing, if your looking at a site or whatever, just jot it down and reply so if thats not it we can help more.
I found a couple links, check them out
Here
which leads you to this link Here
After a semi-quick search, this is what I found, I'll continue searching and if I find anything else, I'll post it.
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
i found the same place you did shagdevil. it was the first link i got when by entering IIS_CGI_Decode_Command_Execution in google
i believe this is also know as the unicode exploit
im sorry you asked what you should do with this. well assuming your running iis5 open the run cammand and enter winver if your running with service pack 2 or greater forget about it. if you not reformat and do it right becase there's no telling whats on your system now.
A good search engine most of you would have heard this but if you havent :
www.google.com
Hey Penguin. Not long ago, I learned of a handy tool/application called URLScan, which is part of the IIS Lockdown tool. URLScan can be extracted from the tool if you would only like to use it by itself, although it may be best to use the complete Lockdown tool. Basically, it works by screening all requests of your webserver via the url checking to make sure it meets certain requirements for the request to be processed. It is controlled by a configuration file which you can customize to your liking. You can also have it write daily logs showing a wealth of information such as the attacker's IP, the modified URL they tried to use, what error page was displayed to them, why it was not processed (ie...request for executable like cmd.exe when this is not allowed), the time, and so on... I think it's a pretty nifty tool. I'm sure that it's been around for awhile (not sure how long), but I think it's worth mentioning in this situation. The link to the Microsoft page describing it can be found here , and on the same page, you will find a link to more information on the IIS Lockdown Tool in general. I hope this helps you. I've seen unicode attacks in action, and without the proper protection/configuration, they could probably be a problem to the unwary Admin.
Take care,
t2k2
/me takes an educated guess..
some worm infected server is looking for the same hole in yours..
Common message caused by Nimda, CodeRed etc..
If you have an IIS running, just patch it, if necessary. If you don't, laugh at them. It might be hard to believe, but script kiddies are able to keep using dozens of unicode strings to 'own' an Apache server.. Argh. And defacers dare to call themselves hackers. Yuck!
Another possibility is Nimda or Codered, as it was previously stated. See? Worms are already smarter than script kiddies!