Hack attempts I have recieved in the past couple days

[Zachary P. Taylor]

I had the same thing, http://localhost/../../winnt/system32/cmd.exe?/(any
command,  show up in my error_log, I just reinstalled.

-----Original Message-----
From: Dusty [mailto:dusty at sandust.com]
Sent: Saturday, July 07, 2001 5:09 PM
To: Linux & Unix Advocates & Users
Subject: [luau] Hack attempts I have recieved in the past couple days


Here are a couple hack attempt I have recieved in the past couple days that
maybe everyone should look for.

------------------start log-------------------------
63.21.73.249 - - [07/Jul/2001:04:58:43 -1000] "GET
/cgi-bin/formmail.pl?recipient=casbird06 at aol.com,pinnacledawg at aol.com&subjec
t=http://www.sandust.org/cgi-bin/formmail.pl&email=PlatinumScan@hunter.com&=
http://www.sandust.org/cgi-bin/formmail.pl
skizan¹·º" 404 -

216.198.90.30 - - [06/Jul/2001:14:55:11 -1000] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
------------------end log---------------------------

both of these were in my web server access logs.  The first one is some
yahoo checking my system for formmail.pl to send SPAM.  I am not running
formmail.pl so he got 404.

The second on is some junior script kiddie trying to use an IIS exploit on
my OpenBSD/Apache system.  MS IIS filters out ../ from URLs so people can't
execute commands via your webserver by doing something like
http://localhost/../../winnt/system32/cmd.exe?/(any command).  But IIS only
looks at acsii characters.  if you replace ../ with the unicode equilevent
(..%c1%9c..) then the system will not filter it out and you can run commands
on a windows system.  Typically people will run tftp from the windows box to
download backdoors.

Anyway, these are just some of the things to check for in your logs.  I
should read muine more often.

So I asked my accountant, do I get an agriculture
exemption for my server farm?

---
You are currently subscribed to luau as: ztaylor at aloha.net
To unsubscribe send a blank email to $subst('Email.Unsub')