[thelist] domain under attack??
Ben Dyer
ben_dyer at imaginuity.com
Tue Dec 18 15:10:51 CST 2001
It's known as the Unicode Vulnerability. It only affects IIS servers, and
only those that aren't patched up, so you're fine.
http://www.sans.org/infosecFAQ/threats/unicode.htm
--Ben
On 08:07 AM 12/18/2001, Fortune Elkins said to me:
>one of the little domains for which i'm the webmaster appears to be under
>attack. i'm not sure what to do.
>
>the host is all apache. when i look at the list of documents not found in my
>server log reports, i see a huge list of files the hackers are after, which
>luckily don't exist, becuase it's not a windows server and i don't use front
>page:
>
> /scripts/..%5c../winnt/system32/cmd.exe [Referrers] 993
> /scripts/root.exe [Referrers] 981
> /MSADC/root.exe [Referrers] 972
> /c/winnt/system32/cmd.exe [Referrers] 966
> /d/winnt/system32/cmd.exe [Referrers] 959
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers] 954
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers] 952
> /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
>[Referrers] 951
> /scripts/..Á ../winnt/system32/cmd.exe [Referrers] 948
>
>the numbers after the names are the times they have tried to access the
>files. from looking at my logs, it seems right now that about 50% of the
>site's accesses are these kind of probes.
>
>what should i do, if anything, besides contact my hosting service?
>
>any hints, tips, and advice, deeply appreciated!
-----------------------------------------------------------------
Ben Dyer, Senior Internet Developer, Imaginuity Interactive
http://www.imaginuity.com/
-----------------------------------------------------------------
| http://members.evolt.org/OKolzig37/ | http://www.evolt.org/ |
-----------------------------------------------------------------
More information about the thelist
mailing list