One of the most common ways that Windows machines are hacked is through the command prompt. This is not surprising, since this is the shell environment on the Win32 platform, it permits the execution of commands without the need of a GUI, and is easily accessed by executing one single file, either command.com on Win 9x/Me, or cmd.exe on Win NT/2K. While this file in itself is not a problem, the thing is that it can be accessed by many ways by anyone who can guess where is located this file, and most of the time, it is always in the same places, because the installations were made by default. This is how most of IIS exploits work, they rely on a Unicode encoding or a special format string to fool the server into accessing files outside of the web directory and make a renamed copy of cmd.exe (because IIS filters commands sent directly to cmd.exe, thanks Microsoft for the great security), and then simply issues command to this copy via a URL in their web browser. Code Red and Nimda were doing that automatically.
Also, admins may want to keep an eye on what's going on in the DOS prompts on their users workstations, as the inside threat remains the greatest concern for computer security. I mean, what could secretaries, accountants and other office employees be doing in a DOS prompt that is related to their job? I wouldn't go as far as to remove their access to the command prompt, besides it may be needed from time to time by support people. But right now, how can you tell if one of the employees on your network is not doing a ping scan or is netcating his way to the restricted file server and making password dumps?
2. Purpose of the program
Table of contents