Date: Sat, 7 Apr 2001 11:14:04 -0400 (EDT) From: Jim Weeks <jim@siteplus.net> To: Kal Torak <kaltorak@quake.com.au> Cc: Walter Hop <walter@binity.com>, freebsd-isp@FreeBSD.ORG Subject: Re: Look familiar? Message-ID: <Pine.BSF.4.21.0104071053070.5476-100000@veager.siteplus.net> In-Reply-To: <3ACF2531.49B7CC17@quake.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the quick response. =20 I am not familiar with ISS, so I wasn't sure if this was a known attack ploy. I have had a few other file not found errors that look suspicious as well as this sendmail error. Apr 4 00:19:57 aurora sendmail[8764]: AAA08756: Truncated MIME Content-Disposition header due to field size (possible attack)=20 -- Jim Weeks On Sun, 8 Apr 2001, Kal Torak wrote: > Jim Weeks wrote: > >=20 > > While checking one of my apache error logs this morning, I find a long > > list of the following error. > > I was wondering if it makes sense to anyone? I am especially curious > > about characters "=C0=AF". > >=20 > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > > exist: > > /usr/local/www/data/scripts/..=C0=AF..=C0=AF..=C0=AF..=C0=AF..=C0=AF..= =C0=AF..=C0=AF..=C0=AF/winnt/system32/cmd.exe > >=20 > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > > exist: > > /usr/local/www/data/scripts/..=C0=AF..=C0=AF..=C0=AF..=C0=AF..=C0=AF..= =C0=AF..=C0=AF..=C0=AF/winnt/system32/cmd.exe >=20 >=20 > Looks like some sort of buffer overflow attack, and they are then trying > to spawn the cmd shell (if you can even call it a shell)... >=20 > Since your unix system is not windows, even if the buffer overflow worked > they sure wouldnt be able to run cmd.exe :P > Obviously this is one of the great new holes in NT + ISS that are found > every second day... >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0104071053070.5476-100000>