Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] Re: Hacker or ??

[aclug-L] Re: Hacker or ??

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	discussion@xxxxxxxxx
Subject:	[aclug-L] Re: Hacker or ??
From:	Steven Saner <ssaner@xxxxxxxxxxxxxxx>
Date:	Tue, 18 Sep 2001 13:01:39 -0500
Reply-to:	discussion@xxxxxxxxx

Appears that this is the worm that Glandix reported. I got the
readme.exe email this morning as well. It was made to appear like a
bounce back message from someplace.

Steve


On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S Brown wrote:
> 
> We are having the same problem on all our web servers. Is this a hack or
> something like code red?
> 
> 
> Josh Brown
> 
> On Tue, 18 Sep 2001, Maverick wrote:
> 
> >
> > Hi, all
> >  Recently I check on my apache webserver access.log
> > and find out a lot of entrie like this:
> > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> > /scripts/..%c0%af../winnt/sys
> > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> > /scripts/..%%35%63../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> > /scripts/..%%35c../winnt/syst
> > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> > /scripts/..%c1%9c../winnt/sys
> > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > .....
> >
> > Is that someone try to access my /var/www/scripts/?
> > and my error.log generate something like this..
> > Tue Sep 18 10:52:27 2001] [error] [client
> > 24.234.20.197] File does not exist: /
> > var/www/c/winnt/system32/cmd.exe
> > [Tue Sep 18 10:52:28 2001] [error] [client
> > 24.234.20.197] File does not exist: /
> > var/www/d/winnt/system32/cmd.exe
> > ....
> >
> > anyone have any idea? or did I set something wrong?
> > or really have a hacker knocking on my door?
> >
> > Thanks.
> > Mav
> >
> > __________________________________________________
> > Terrorist Attacks on U.S. - How can you help?
> > Donate cash, emergency relief information
> > http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] Hacker or ??, Maverick, 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
  - [aclug-L] Re: Hacker or ??, Steven Saner <=
    - [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
    - [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
    - [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
    - [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
    - [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
    - [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
    - [aclug-L] Re: Hacker or ??, Maverick, 2001/09/18
    - [aclug-L] Microsoft Worm/Virus (was Re: Hacker or ??), james l, 2001/09/18
    - [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
    - [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18

Prev by Date: [aclug-L] Re: Hacker or ??
Next by Date: [aclug-L] Re: Hacker or ??
Previous by thread: [aclug-L] Re: Hacker or ??
Next by thread: [aclug-L] Re: Hacker or ??
Index(es):
- Date
- Thread