|
HTTP URL contains old DOS filename |
|
|
|
| FAQ | |||
|
|
SummaryAn attempt was made to access a file using its DOS-based 8.3 character convention.
Details
First, be aware that this is probably not an attack. It indicates an anomaly in the network traffic. This is sometimes caused by a bug in server configuration. This is sometimes seen going out of your machine.
You should only consider this an attack if you are running a web server. In this case, it probably indicates a hacker attempting to bypass normal security checks by re-formatting filenames using the 8.3 character convention.
Windows is related to the older DOS operating system, which limited names to 8 characters followed by a 3 letter extension. This means you could have a filename like "ABCDEFGH.GIF", but not anything longer. Starting with Windows 95, Microsoft added "long filenames". For example, under Windows, programs are located in the directory "Program Files", which would be impossible under the older version of DOS.
However, Windows support backwards compatibility. This means that it still supports DOS, in a fashion, and it therefore stores all files/directories both under their real name as well as an older DOS name. It uses a technique called "name mangling" to accomplish this. Thus, you could access the "Program Files" directory also under the DOS-compatible name of "PROGRA~1".
Hackers can exploit this backwards compatibility by attempting to access files using the "mangled" name rather than the real name. This can sometimes bypass security checks, or it can dump the contents of a script (which may reveal to the hacker secret keys into the system).
This alert triggers whenever a DOS 8.3 mangled name is seen.
False Positives
Some websites are misconfigured to use the DOS 8.3 mangled names. In particular, we are seeing the "adforce" website advertising system using test banners with this convention.
| more information |
|
| ||||||||||
Version appeared: 1.8.6