[lug] Interesting Access Message
gsexton at mhsoftware.com
Tue Jul 31 11:44:30 MDT 2001
Months ago. Interestingly, the SADMIND worm used it. That worm hooked into
Solaris servers and then attacked NT servers. It used a series of ECHO
commands to deface sites. Of course, that particular one only worked on
servers that had the INETPUB directory on a partition with no security (e.g.
FAT). One of my customers got hit by it.
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of Greg Horne
Sent: 31 July, 2001 11:39 AM
To: lug at lug.boulder.co.us
Subject: Re: [lug] Interesting Access Message
Damn the crackers! It appears as if "he" is trying to ping himself eh? Was
there a patch released for the unicode bug?
>From: Calvin Dodge <caldodge at fpcc.net>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] Interesting Access Message
>Date: Tue, 31 Jul 2001 11:11:01 -0600
>On Tue, Jul 31, 2001 at 04:59:24PM +0000, Greg Horne wrote:
> > I was going through my server logs (apache on linux) and I noticed this
> > error message:
> > 220.127.116.11 - - [31/Jull/2001:08:05:39 -0700] "GET
> > HTTP/1.0" 404 -
> > Has anybody ever seen anything like this???
>Yep - I see an average of one a week in my web server logs.
>It's an exploit for IIS (the "winnt" is a bit of a giveaway) - getting the
>web server to "walk up the directory tree" by using non-English equivalents
>to the "\" character, which are recognized by the file system, but NOT by
>the (pre-patch) web server.
>In this case it looks like they're trying to get your server to ping
>someone else (probably as part of a DOS attack).
>Certified Linux Bigot (tm)
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG