[aclug-L] Re: Hacker or ??

["gLaNDix (Jesse Kaufman)" <glandix@xxxxxxxxxxxxxx>]

oh, and if you were talking about stopping it on an NT/2k/XP server, i
*believe* there were links at the bottom for more information, but i
honestly didn't even read the whole thing...  got past about the 1st
paragraph and tho't "oh sh*t, not another one!"... : ^ )  figured i'd
let anyone i could know about it so atleast the people i know could get
started earlier this time (assuming the CR fix doesn't also fix the
mentioned 16 vulnerabilities)... : ^ )

On 18 Sep 2001 13:05:31 -0500, Joshua S Brown wrote:
> 
> Looks like a new worm that tries to attack 16 vulnerabilities in IIS.
> Wonderful for people who run Linux but are still being pounded.
> 
> Josh Brown
> 
> Anyone have any ideas to stop it or just grin and bear it?
> 
> On Tue, 18 Sep 2001, Steven Saner wrote:
> 
> >
> > Appears that this is the worm that Glandix reported. I got the
> > readme.exe email this morning as well. It was made to appear like a
> > bounce back message from someplace.
> >
> > Steve
> >
> >
> > On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S Brown wrote:
> > >
> > > We are having the same problem on all our web servers. Is this a hack or
> > > something like code red?
> > >
> > >
> > > Josh Brown
> > >
> > > On Tue, 18 Sep 2001, Maverick wrote:
> > >
> > > >
> > > > Hi, all
> > > >  Recently I check on my apache webserver access.log
> > > > and find out a lot of entrie like this:
> > > > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> > > > /scripts/..%c0%af../winnt/sys
> > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> > > > /scripts/..%%35%63../winnt/sy
> > > > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> > > > /scripts/..%%35c../winnt/syst
> > > > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> > > > /scripts/..%c1%9c../winnt/sys
> > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > .....
> > > >
> > > > Is that someone try to access my /var/www/scripts/?
> > > > and my error.log generate something like this..
> > > > Tue Sep 18 10:52:27 2001] [error] [client
> > > > 24.234.20.197] File does not exist: /
> > > > var/www/c/winnt/system32/cmd.exe
> > > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > > 24.234.20.197] File does not exist: /
> > > > var/www/d/winnt/system32/cmd.exe
> > > > ....
> > > >
> > > > anyone have any idea? or did I set something wrong?
> > > > or really have a hacker knocking on my door?
> > > >
> > > > Thanks.
> > > > Mav
> > > >
> > > > __________________________________________________
> > > > Terrorist Attacks on U.S. - How can you help?
> > > > Donate cash, emergency relief information
> > > > http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > >
> > >
> > >
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi