[techtalk] scan or attempted break?

Raven, corporate courtesan damask0 at yahoo.com
Fri May 25 09:59:53 EST 2001


Heya --

> I was wondering if this is an attempt at break in or just a scan? 
> This person has run this on two separate occasions.  Looks like they
> are trying to do something to an NT server.  Doesn't do them much
good
> on a Linux box;)
> 
> oz:/var/log# grep /scripts/ httpd/*
> httpd/access_log:128.242.217.204 - - [23/May/2001:22:46:40 -0400]
> "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328

     It is an attempt at a break-in; that's the footprint from one of
the IIS vulnerabilities.  Obviously this is a script kiddie and not a
skilled hacker/cracker/insert preferred terminology here -- any
non-script kiddie would have tried to footprint the box first to
determine its OS.

     You can get more info about this hole in IIS at
http://www.securiteam.com/exploits/Additional_details_about_the_IIS_remote_execution_vulnerability.html
if you are interested.

Cheers,
Raven

=====
"Passion, hunger, will, and ice cream create their own world
 in which the word 'after' simply doesn't make any sense.
 Ice cream is now."
 -- Starhawk, "The Twelve Wild Swans"

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




More information about the Techtalk mailing list