Heya --
> I was wondering if this is an attempt at break in or just a scan?
> This person has run this on two separate occasions. Looks like they
> are trying to do something to an NT server. Doesn't do them much
good
> on a Linux box;)
>
> oz:/var/log# grep /scripts/ httpd/*
> httpd/access_log:128.242.217.204 - - [23/May/2001:22:46:40 -0400]
> "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328
It is an attempt at a break-in; that's the footprint from one of
the IIS vulnerabilities. Obviously this is a script kiddie and not a
skilled hacker/cracker/insert preferred terminology here -- any
non-script kiddie would have tried to footprint the box first to
determine its OS.
You can get more info about this hole in IIS at
http://www.securiteam.com/exploits/Additional_details_about_the_IIS_remote_execution_vulnerability.html
if you are interested.
Cheers,
Raven
=====
"Passion, hunger, will, and ice cream create their own world
in which the word 'after' simply doesn't make any sense.
Ice cream is now."
-- Starhawk, "The Twelve Wild Swans"
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
_______________________________________________
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
