[geeks] daily dose of humor

John Duksta geeks at sunhelp.org
Mon Mar 26 08:49:18 CST 2001


Jon,

Yeah, I've seen this kind of exploit attempt in my logs too...

If I were writing an exploit for these IIS vuln's I'd
be sure to add a 'if (HEAD / ~=/Microsoft-IIS/)' clause to it
so as to avoid detection of this sort. :)

Script kiddies... ugh.

-john

At 07:54 AM 3/26/2001 -0500, you wrote:
>Check this out:
>
>178-209.235.22.dellhost.com - - [26/Mar/2001:06:54:28 -0500] "GET 
>/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 355 "-" "Unknown"
>178-209.235.22.dellhost.com - - [26/Mar/2001:06:54:28 -0500] "GET 
>/_vti_bin/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 369 "-" "Unknown"
>
>Not all of you may understand what that is...
>
>Those are my weblogs from this morning. Too bad I run
>Apache on Solaris. The remote user is attempting to
>break into my website using Windows security problems.
>
>Notice where its coming from-- dellhost.com, Dell's
>ASP/hosting service. I dropped them a friendly note
>via their web/support gateway. Chances are some kiddie
>broke into their site using those exploits and are
>trying to take over the Internet at large.
>
>I'll keep ya posted.
>
>-Jon

--
John C.C. Duksta, CISSP                      <jduksta at genuity.com>
PGP Fingerprint: 2037 FB34 8D4A 22D7 3EB3 EEF9 3ABA 997E F964 0EAF




More information about the geeks mailing list