I have just investigated a server that attacked me. Here is what I found: It appears that the servers are keeping a log of the results. My server logs show that an attempt was made: [18/Sep/2001:12:37:43 -0700] "from 207.104.210.242" "GET <clip> HTTP/1.0" 404 56 "- -> /scripts/<clip>/system32/cmd.exe" "User-Agent=-" "port: 80 Since I saw that I was attacked at 12:37, I went to the attacker site and listed the directory and discovered what appears to be a log of all the attempts. As can be seen, the log 09/18/01 12:37p 0 TFTP9513 has a zero byte length which seems to indicate that it failed, since I am running Apache. If all those other logs are 57,344 each, then there appears to be many more MSII servers out there than I expected and these logs appear to have information which appears to be success data. I feel that any server attacking another is fair game to publish data about it. Bob http://207.104.25.194/scripts/root.exe?/c+dir%20"c:\InetPub\scripts" The directory listing is included in the attached ZIP file
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:14:44 PDT