Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 66277 invoked by uid 500); 4 Dec 2002 23:06:49 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 66263 invoked from network); 4 Dec 2002 23:06:48 -0000 Received: from 107-229.dsl.connexus.net.au (HELO exchangeserver.internal.stamina.com.au) (203.222.107.229) by daedalus.apache.org with SMTP; 4 Dec 2002 23:06:48 -0000 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-MIMEOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Thu, 5 Dec 2002 10:10:25 +1100 Message-ID: <5FCE856B804270449E97E3C7744D5D2D0329A5@exchangeserver.internal.stamina.com.au> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Hacker? Thread-Index: AcKboEqT73KcjK7ORFmFU37yyxKzXwASB3sw From: "Andrew Kenna" To: X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] Hacker? What would be ideal is for each attack, the system that its scanning sends back a buffer overrun and crashes the system that's trying to scan it... That would be an easy way for NT/2000 Admin's to realise they are running an unpatched system Andrew -----Original Message----- From: stephane [mailto:stephane@parenton.com]=20 Sent: Thursday, 5 December 2002 1:16 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Hacker? ---- Original Message ----- From: "H. Carter Harris" To: Sent: Thursday, December 05, 2002 3:11 AM Subject: [users@httpd] Hacker? > I have a test apache system where I am trying to learn how to use it. > I got > the access_log file working and I noticed the following entries in the log: > > 66.137.7.57 - - [02/Dec/2002:19:49:26 -0500] "GET=20 > /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -=20 > 61.56.232.58 - - [02/Dec/2002:19:49:53 -0500] "HEAD / HTTP/1.0" 404 0=20 > 208.47.206.2 - - [02/Dec/2002:22:01:40 -0500] "GET > /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\ cmd. > exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246 > 207.198.31.238 - - [03/Dec/2002:00:15:16 -0500] "GET > /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\ cmd. > exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246 > 195.92.95.61 - - [03/Dec/2002:05:16:21 -0500] "HEAD=20 > /cobalt-images/welcome2.gif HTTP/1.0" 404 0 202.62.83.82 - -=20 > [03/Dec/2002:10:25:49 -0500] "HEAD / HTTP/1.0" 404 0 6 > > This installation is on a Mandrake Linux box, not NT. Is someone=20 > trying to > hack into the system? this is a common try, I guess, of someone that does not know what he aims at.... he tries to reach the cmd.exe (the windows shell) regardless of what platform he attacks... once in a while, he could ge a windows box.... You can say it's an attack.... I don't know if there is a trap to these attemps (sort of cmd.exe shell script that could trace the guy...) Stephane --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org