A new way to look for exploits

John E. Tysko tysko at boss.cs.ohiou.edu
Thu Mar 14 15:30:08 GMT 2002


 Recently, I noticed several of our machines being scanned by
alexa.com, presumably for the web archive services provided by
archive.org. Several requests for interesting web pages came
to my attention, and one of the latest from yesterday looked 
like this; 2 connetions, the first, a polite:

   GET /robots.txt HTTP/1.0
   Connection: close
   Host: 132.235.16.144
   User-Agent: ia_archiver
   From: crawler at alexa.com

and the second, an interesting:

   GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe HTTP/1.0
   Connection: close
   Host: 132.235.x.x
   User-Agent: ia_archiver
   From: crawler at alexa.com


It would seems there is a new way to probe for security holes
without giving away your ip.

Is this unique to our machines, or has anyone else seen this?

John

  John Tysko                                      
  Systems Administrator                           
  Electrical Engineering and Computer Science     
  Ohio University, Athens Oh 45701                




More information about the unisog mailing list