Security Basics mailing list archives

Re: Unusual Activity

From: Gregory Dunlap <gtdunlap () midsouth rr com>
Date: Sat, 14 Feb 2004 11:11:09 -0600

I saw this before when we ran application check software on our web
server.  Basically the software hits external pages and tries various
attacks against the pages (sql injection, buffer overflow on fields) to
see what it can exploit.  Used by internal people its good to let
developers know what they need to fix, used without your knowledge it
could be a profile attempt.

Just a thought,
Greg


On Fri, 2004-02-13 at 10:45, Graydon McKee wrote:

Hello All, 

            I’m seeing some unusual activity.  One of our web servers
it sending emails via a feedback page that proport to come from
333-333-3333test () test999 com.  These messages have various things in
the From Field: 

 

From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> 
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> 
From: "\\\\'/bin/cat /etc/passwd\\\\'" <>

 

88 of these messages were generated in under a minute so I’m pretty
sure that someone is running a script against this page but I am
having problems finding out exactly what is being run and what exploit
is being looked for.  Something tells me that this should be pretty
simple but for some reason I can’t put my finger on it.  Does anyone
have any ideas or suggestions that would help me out here?  

 

Thanks

 

Graydon S McKee IV - GSEC

Firewall/Security Administrator

ORC Macro - Macro International

11785 Beltsville Drive

Calverton, Maryland 20705

301-572-0583 Fax: 301-572-0982



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)