* himbA; on 23 May, 2003 wrote:

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281

207.33.111.37 - - [14/May/2003:14:03:55 +0200] "HEAD /cgi-bin/ws_ftp.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /cgi-bin/WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/ax-admin.cgi HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/axs.cgi HTTP/1.0" 404 0 2

Are these possible intruder attacks ? They are most probably some script kiddie playing around looking for any vulnerabilities they may have find. The reality is when you have a webserver publicly available then these logs will come someday

have a look at http://susefaq.sourceforge.net/apachequestions.html If you have real concern then consider placing your server in a DMZ and run it chrooted ( not that it gives 100 % guarantee yet makes you feel safer ) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

On Friday 23 May 2003 00:03, himbA wrote:

-- 193.220.30.35 - - [22/May/2003:14:13:16 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281

It's an "old" exploit against Microsoft IIS servers, as far as I know. Googling gives gives many references. Here are a couple : http://www.birdhouse.org/blog/archives/000114.php http://www.apacheweek.com/features/codered Before we gloat too much there are more recent exploits targeting SSL. One of the exploits tools actually contains a Linux virus, which I'm sure the script kiddies will appreciate the irony of:-) And as far as I can read, Windows are immune to this exploit (or at least not tested be the exploit tools). In the logs you'll see something like "GET /sumthin HTTP/1.0" 404 201 The exploit uses this (by parsing the error page returned) to check which version of Apache is run on the server and thus might be vunerable to the SSL exploit, assuming you got https running. Check out the two references in : http://archives.neohapsis.com/archives/incidents/2003-04/0052.html Cheers, Sigfred.