Odd Apache Log Entry... Code red?
mrkshrt at transparentsolutions.com
mrkshrt at transparentsolutions.com
Thu Aug 9 21:04:24 CDT 2001
It was sadmind
I am sorry to say I got it on a test machine I wasn't paying attention to.
As they go, it is pretty innocuous.
http://www.cert.org/advisories/CA-2001-11.html
-----Original Message-----
From: Mike Coleman [mailto:mkc at mathdogs.com]
Sent: Thursday, August 09, 2001 2:07 PM
To: Steven L. Brendtro
Cc: kclug at kclug.org
Subject: Re: Odd Apache Log Entry... Code red?
"Steven L. Brendtro" <sbrendtro at home.com> writes:
> Now how about this one... there are several log entries that start with:
> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe... - 404"
> followed by several hundred lines of binary looking garbage:
> "�;øv�?FÈ<NÈ+Á?E"
Interesting. I found several requests like this, the oldest back on May
31st. (!) So apparently this exploit has been around a while.
I wonder if these requests are being generated by a worm, or manually by
some
script kiddie.
--Mike
More information about the Kclug
mailing list