URL_Directory_Traversal attack

Printable View

July 20th, 2004, 09:37 PM
foxyloxley

URL_Directory_Traversal attack

Ok, I've just got the following message from Norton NetSec 2004:

Quote:

A computer with the IP address 127.0.0.1 sent information
that is characteristic of the URL_Directory_Traversal attack.

Question is. What is this exactly ?
is it a 'normal' operation ?
is there something I'm doing / not doing ?

I'm still finding my feet when it comes to securing my system.
I'm aware of what 127.0.0.1 is,

http://www.microsoft.com/windows2000...ting_table.htm

From Google (our friend)

OS = Win 2K Pro SP4 all patches, IE 6 all patches.

I run AdAware, SpyBot S+D v1.3, Swatit Pro, Registry Mechanic.
All updated, all ran recently, those that can, run in the back ground all the time.

http://www.dslreports.com/forum/rema...4715~mode=flat

Checked here, and the tale is that it isn't much of a worry, but I would appreciate some feedback to calm these frazzled nerves...................

Thanks in advance
July 20th, 2004, 09:42 PM
AngelicKnight

I'm having similar problems, though slightly different. My firewall is sending me multiple warnings every day that IP spoofs are being attempted. They're false positives, however, because they originate 127.0.0.1 and CA is their destination (I'm presuming this is during signature updates).
July 20th, 2004, 10:14 PM
Tiger Shark

Er.... You really shouldn't be using your IDS to surf the web etc. I kinda defeats the purpose of the IDS. It needs to be secure, browsing the web makes it insecure..... 'nuff said?

127.0.0.1 should not be alerted upon, create a "pass rule" for 127.0.0.1 and it will be ignored.

NOTE: Be careful with "pass" rules, they can bite you in the ass.

The directory traversal attack is where the attacker tries, through various means, to move up the directory tree and then often back down again to another directory. kinda like issuing a:-

cd\ <ENTER>
cd winnt\system32 <ENTER>

and then attemting to execute cmd.exe for example.

If the target's permissions are correctly set a 404 will be returned, if not then you are in trouble because your permissions will allow execution of any application the attacker wishes that can be executed with command line switches and the output can be returned to the attacker.