httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Kenna" <andr...@stamina.com.au>
Subject RE: [users@httpd] Hacker?
Date Wed, 04 Dec 2002 23:10:25 GMT
What would be ideal is for each attack, the system that its scanning
sends back a buffer overrun and crashes the system that's trying to scan
it...

That would be an easy way for NT/2000 Admin's to realise they are
running an unpatched system

Andrew


-----Original Message-----
From: stephane [mailto:stephane@parenton.com] 
Sent: Thursday, 5 December 2002 1:16 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Hacker?


---- Original Message -----
From: "H. Carter Harris" <carter-lists@technettn.net>
To: <users@httpd.apache.org>
Sent: Thursday, December 05, 2002 3:11 AM
Subject: [users@httpd] Hacker?


> I have a test apache system where I am trying to learn how to use it.

> I
got
> the access_log file working and I noticed the following entries in the
log:
>
> 66.137.7.57 - - [02/Dec/2002:19:49:26 -0500] "GET 
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - 
> 61.56.232.58 - - [02/Dec/2002:19:49:53 -0500] "HEAD / HTTP/1.0" 404 0 
> 208.47.206.2 - - [02/Dec/2002:22:01:40 -0500] "GET
>
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\
cmd.
> exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> 207.198.31.238 - - [03/Dec/2002:00:15:16 -0500] "GET
>
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\
cmd.
> exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> 195.92.95.61 - - [03/Dec/2002:05:16:21 -0500] "HEAD 
> /cobalt-images/welcome2.gif HTTP/1.0" 404 0 202.62.83.82 - - 
> [03/Dec/2002:10:25:49 -0500] "HEAD / HTTP/1.0" 404 0 6
>
> This installation is on a Mandrake Linux box, not NT.  Is someone 
> trying
to
> hack into the system?

this is a common try, I guess, of someone that does not know what he
aims at.... he tries to reach the cmd.exe (the windows shell) regardless
of what platform he attacks... once in a while, he could ge a windows
box....

You can say it's an attack.... I don't know if there is a trap to these
attemps (sort of cmd.exe shell script that could trace the guy...)

Stephane



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message