[thelist] domain under attack??

Ben Dyer ben_dyer at imaginuity.com
Tue Dec 18 15:10:51 CST 2001


It's known as the Unicode Vulnerability.  It only affects IIS servers, and 
only those that aren't patched up, so you're fine.

http://www.sans.org/infosecFAQ/threats/unicode.htm

--Ben

On 08:07 AM 12/18/2001, Fortune Elkins said to me:
>one of the little domains for which i'm the webmaster appears to be under
>attack. i'm not sure what to do.
>
>the host is all apache. when i look at the list of documents not found in my
>server log reports, i see a huge list of files the hackers are after, which
>luckily don't exist, becuase it's not a windows server and i don't use front
>page:
>
>  /scripts/..%5c../winnt/system32/cmd.exe [Referrers]  993
>  /scripts/root.exe [Referrers]  981
>  /MSADC/root.exe [Referrers]  972
>  /c/winnt/system32/cmd.exe [Referrers]  966
>  /d/winnt/system32/cmd.exe [Referrers]  959
>  /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers]  954
>  /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers]  952
>  /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
>[Referrers]  951
>  /scripts/..Á ../winnt/system32/cmd.exe [Referrers]  948
>
>the numbers after the names are the times they have tried to access the
>files. from looking at my logs, it seems right now that about 50% of the
>site's accesses are these kind of probes.
>
>what should i do, if anything, besides contact my hosting service?
>
>any hints, tips, and advice, deeply appreciated!

-----------------------------------------------------------------
Ben Dyer, Senior Internet Developer, Imaginuity Interactive
http://www.imaginuity.com/
-----------------------------------------------------------------
| http://members.evolt.org/OKolzig37/  |  http://www.evolt.org/ |
-----------------------------------------------------------------






More information about the thelist mailing list