[CLUE-Tech] Is someone trying to hack me?
Adam Bultman
adamb at glaven.org
Thu Nov 14 09:07:31 MST 2002
I have an aquaintence at LANL who had a web server hit by the apache
worm... They forgot to secure a naught-used web server, and it was loaded
with zombie processes from DoSing someone. The person being DoSed
complained to them. I though it was funny. Not the DoSing, but the fact
that LANL had a machine that wasn't secured.
Adam
On Thu, 14 Nov 2002, David Anselmi wrote:
> Jason S. Friedman wrote:
> > What are these in my apache server logs?
>
> Google would be happy to tell you much, much more.
>
> >
> > 63.231.245.155 - - [13/Nov/2002:22:10:21 +0000] "GET
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
>
> You can see that this is a request to run the Windows shell. The winnt
> directory is outside the web server's root so this attack uses .. to
> traverse up the tree. Normally the request would be refused because the
> web server can't cd above its root, but this attack uses unicode
> characters in the path (which are URL encoded to the %25%35%63 you see)
> and IIS doesn't do the right thing with unicode paths.
>
> The other hits you see are variations on the theme.
>
> The real question is what will you see when someone uses a successful
> apache exploit on you.
>
> Dave
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
--
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]
More information about the clue-tech
mailing list