[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- Subject: Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
- From: "Jamie Martino" <webmaster1@xxxxxxx>
- Date: Tue Sep 18 17:01:13 2001
- Organization: WebConnection.Net, Inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> >> www.site.com 216.234.235.118 - - [18/Sep/2001:06:49:52 -0700] "GET
> >> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
> >>
> >> www.site.com 216.234.199.92 - - [18/Sep/2001:06:51:19 -0700] "GET
> >> /MSADC/root.exe?/c+dir HTTP/1.0" 302 231 "-" "-"
> >>
> >> www.adifferentsite.com 66.12.10.51 - - [18/Sep/2001:06:51:16 -0700]
"GET
> >> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
> >> 254 "-" "-"
> > Ditto, the frequency is much worse than code red or code red II
> > I'm guessing that I'm logging more than 100 per minute.
> > Major pain. Anyway to detect the origin or at least a waypoint?
> >
> I just read this at Slash, looks like a new worm
> http://slashdot.org/articles/01/09/18/151203.shtml
> --
> Thank you,
> David E Thurman
> Web Presence Group
> 309.676.5688
Hello list, I did this:
cat /var/log/httpd/access | grep cmd.exe | wc -l
and I got over 5000 hits for it already since log rotation at 4:30am... it
is now almost 3:00pm... I did a tail -f and all I can see is this thing..
We got more than 200 hits in less than 15 minutes and it's only gonna get
worse.. :(
-Jamie-
http://w-c.net
WebConnection.Net, Inc.
In a mad world, only the mad are sane...