[lug] Interesting Access Message
caldodge at fpcc.net
Tue Jul 31 11:11:01 MDT 2001
On Tue, Jul 31, 2001 at 04:59:24PM +0000, Greg Horne wrote:
> I was going through my server logs (apache on linux) and I noticed this
> error message:
> 220.127.116.11 - - [31/Jull/2001:08:05:39 -0700] "GET
> HTTP/1.0" 404 -
> Has anybody ever seen anything like this???
Yep - I see an average of one a week in my web server logs.
It's an exploit for IIS (the "winnt" is a bit of a giveaway) - getting the web server to "walk up the directory tree" by using non-English equivalents to the "\" character, which are recognized by the file system, but NOT by the (pre-patch) web server.
In this case it looks like they're trying to get your server to ping someone else (probably as part of a DOS attack).
Certified Linux Bigot (tm)
More information about the LUG