On Tue, 7 Aug 2001, Eyes to the Skies. wrote: > This looks like an attempt to use a CodeRed II infected system to > perform a denial of service attack. I don't think I need to stress the > severity of this. > > ==> /var/log/apache/access_log <== > [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted > target ip]+"-n"+7000+"-w"+0" 404 - Nothing to do with code red, or it would be root.exe, or /c/winnt/system32/cmd.exe. That one is (I believe): http://www.securityfocus.com/bid/2708 Note that it is only about a month older than the hole Code Red uses, so the number of hosts that were vulnerable to this hole before Code Red (which drove everyone to install all the patches, right? Sure.) is probably just slightly less than the number vulnerable to Code Red. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 10:46:29 PDT