While going through my logs I happened to notice an AOL address and decided I would check and see whether it was someone on AOL or an AOL server itself. Luckily it was some poor soul using AOL rather than the company actually having a Code Red problem. That aside I noticed one very curious aspect of the webserver while I was just playing around throwing commands at it. Up till now I have seen problems with Cisco, and IIS. I thought I should report this as I have not read anywhere that StarOffice HTTP Server was vulnerable. log of attack: --------------- 172.177.28.x - - [06/Aug/2001:06:55:57 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 210 "-" "-" Nothing unusual there.... Check out the 404 while i was testing for the Trojan aspect of the newer variant: ---------- HTTP Error 404 404 Not found ("/c/winnt/system32/cmd.exe?/c+dir") ---------------------------------------------------------------------------- ---- Generated by StarOffice HTTP Server 1.0 Anyone else seen any other attacks generating from StarOffice or is this just a freak incident? I haven't reported this to Sun as I'm not 100% it's the StarOffice that attacked me earlier, they could have switched HTTPd's since then. If anyone has StarOffice installed and would check it would clear this up. Thanks, Tim
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 16:26:49 PDT