Curious Code Red Behavior with Star Office HTTPd

From: Tim (webmaster@crazy-horse.net)
Date: Mon Aug 06 2001 - 14:06:19 PDT

  • Next message: Russell Handorf: "Wireless Lans give EVERYONE ACCESS"

    While going through my logs I happened to notice an AOL address and decided
    I would check and see whether it was someone on AOL or an AOL server itself.
    Luckily it was some poor soul using AOL rather than the company actually
    having a Code Red problem. That aside I noticed one very curious aspect of
    the webserver while I was just playing around throwing commands at it. Up
    till now I have seen problems with Cisco, and IIS. I thought I should report
    this as I have not read anywhere that StarOffice HTTP Server was vulnerable.
    
    log of attack:
    ---------------
    172.177.28.x - - [06/Aug/2001:06:55:57 -0500] "GET
    /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
    u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    HTTP/1.0" 404 210 "-" "-"
    
    Nothing unusual there....
    Check out the 404 while i was testing for the Trojan aspect of the newer
    variant:
    ----------
    HTTP Error 404
    404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")
    
    
    ----------------------------------------------------------------------------
    ----
    
    Generated by StarOffice HTTP Server 1.0
    
    
    Anyone else seen any other attacks generating from StarOffice or is this
    just a freak incident? I haven't reported this to Sun as I'm not 100% it's
    the StarOffice that attacked me earlier, they could have switched HTTPd's
    since then. If anyone has StarOffice installed and would check it would
    clear this up.
    
    Thanks,
    Tim
    



    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 16:26:49 PDT