Security Basics mailing list archives
Re: Unusual Activity
From: Gregory Dunlap <gtdunlap () midsouth rr com>
Date: Sat, 14 Feb 2004 11:11:09 -0600
I saw this before when we ran application check software on our web server. Basically the software hits external pages and tries various attacks against the pages (sql injection, buffer overflow on fields) to see what it can exploit. Used by internal people its good to let developers know what they need to fix, used without your knowledge it could be a profile attempt. Just a thought, Greg On Fri, 2004-02-13 at 10:45, Graydon McKee wrote:
Hello All, I’m seeing some unusual activity. One of our web servers it sending emails via a feedback page that proport to come from 333-333-3333test () test999 com. These messages have various things in the From Field: From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> From: "\\\\'/bin/cat /etc/passwd\\\\'" <> 88 of these messages were generated in under a minute so I’m pretty sure that someone is running a script against this page but I am having problems finding out exactly what is being run and what exploit is being looked for. Something tells me that this should be pretty simple but for some reason I can’t put my finger on it. Does anyone have any ideas or suggestions that would help me out here? Thanks Graydon S McKee IV - GSEC Firewall/Security Administrator ORC Macro - Macro International 11785 Beltsville Drive Calverton, Maryland 20705 301-572-0583 Fax: 301-572-0982
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)