[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Thanks Jay and Tim, another question... Done it myself..

Subject: RE: [cobalt-users] Thanks Jay and Tim, another question... Done it myself..
From: "Dan Kriwitsky" <list1@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Jun 27 19:33:27 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> 
> /scripts/..%255c%255c../winnt/system32/cmd.exe
> /scripts/..%252f../winnt/system32/cmd.exe
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe
> /scripts/..%255c../winnt/system32/cmd.exe
> /d/winnt/system32/cmd.exe
> /scripts/root.exe 

I think all of the above may be other infected servers looking for open
NT servers. There were some scripts or changes to access.conf that can
be made to redirect those to http://127.0.0.1 A quick Google for
/winnt/system32 .htacces brings up: http://www.addme.com/issue222.htm

> /cgi-bin/formmail.pl

If you don't have the old formmail.pl that's vulnerable, you need not
worry about that one. Every site gets scanned for it. There's a couple
of sites out there with scripts that capture the IP of the abuser and
automagically notify the admin. Too bad AOL doesn't read the mail.

> 
> inetnum:     211.94.128.0 - 211.94.159.255
> descr:       China united telecommunications corporation 

Good luck getting an answer from there about abuse.
-- 
Dan Kriwitsky

Please reply to the list only. Offlist replies are not read.

References:
- [cobalt-users] Thanks Jay and Tim, another question... Done it myself..
  - From: Charles Teton

Prev by Date: Re: [cobalt-users] Cold Fusion
Next by Date: RE: [cobalt-users] .htaccess and errordocumennt
Previous by thread: [cobalt-users] Thanks Jay and Tim, another question... Done it myself..
Next by thread: Re: [cobalt-users] Thanks Jay and Tim, another question... Done it myself..

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index