[lug] Interesting Access Message

Greg Horne jeerygh at hotmail.com
Tue Jul 31 11:38:50 MDT 2001


Damn the crackers!  It appears as if "he" is trying to ping himself eh?  Was 
there a patch released for the unicode bug?

Greg


>From: Calvin Dodge <caldodge at fpcc.net>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] Interesting Access Message
>Date: Tue, 31 Jul 2001 11:11:01 -0600
>
>On Tue, Jul 31, 2001 at 04:59:24PM +0000, Greg Horne wrote:
> > I was going through my server logs (apache on linux) and I noticed this
> > error message:
> >
> > 24.41.72.83 - - [31/Jull/2001:08:05:39 -0700] "GET
> > 
>/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping+-n+1+-l+64+-w+1+24.41.72.83
> > HTTP/1.0" 404 -
> >
> > Has anybody ever seen anything like this???
>
>Yep - I see an average of one a week in my web server logs.
>
>It's an exploit for IIS (the "winnt" is a bit of a giveaway) - getting the 
>web server to "walk up the directory tree" by using non-English equivalents 
>to the "\" character, which are recognized by the file system, but NOT by 
>the (pre-patch) web server.
>
>In this case it looks like they're trying to get your server to ping 
>someone else (probably as part of a DOS attack).
>
>Calvin
>
>--
>Calvin Dodge
>Certified Linux Bigot (tm)
>http://www.caldodge.fpcc.net
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the LUG mailing list