[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- Subject: Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- From: David Thurman <dthurman@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue Sep 18 01:49:07 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
on 9-18-01 8:49 AM, Paul Alcock at webmgr@xxxxxxxxxxxxxxxxxx was reported to
have made a statement that said this:
>> I am getting a lot of these logged on every IP routed to my
>> machine that has
>> a site.
>>
>> www.site.com 216.234.235.118 - - [18/Sep/2001:06:49:52 -0700] "GET
>> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
>>
>> www.site.com 216.234.199.92 - - [18/Sep/2001:06:51:19 -0700] "GET
>> /MSADC/root.exe?/c+dir HTTP/1.0" 302 231 "-" "-"
>>
>> www.adifferentsite.com 66.12.10.51 - - [18/Sep/2001:06:51:16 -0700] "GET
>> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
>> 254 "-" "-"
> Ditto, the frequency is much worse than code red or code red II
> I'm guessing that I'm logging more than 100 per minute.
> Major pain. Anyway to detect the origin or at least a waypoint?
>
>
> --sig
> Paul Alcock
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
I just read this at Slash, looks like a new worm
http://slashdot.org/articles/01/09/18/151203.shtml
--
Thank you,
David E Thurman
Web Presence Group
309.676.5688
dthurman@xxxxxxxxxxxxxxxxxxxx
http://www.webpresencegroup.net