Hello and welcome to the Tuesday, January 27th, 2006 edition of the Sands International Stormers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu underwright certificate program

in Applied Cybersecurity. In Diaries today, we do have a new scanning pattern that apparently

is being used by a couple of IP addresses to scan our web honeypots. The trick here is that they're

adding PWD, the output of the commandpots. The trick here is that they're adding PWD,

the output of the command, actually,

the way it is being written here,

so not just the environment variable.

And the goal here is likely

that they are trying to make sort of dynamically

the path the web server is running in,

part of the URL.

I'm not to ensure how well this will actually work because that's usually the absolute path in the operating system,

while of course the path that are using as part URL is then mapped to specific like web route directories

inside the operating system systems directory structure.

So not sure if it will work, but, well, attackers always try new tricks.

And maybe there are some configurations where this will help the attacker find various

vulnerabilities or data leakage in files.

They're using this with a large number of different URLs,

but a lot of them are sort of these standard environment files and configuration files

that we have seen a lot over the last few years.

...