Security Incidents mailing list archives
Re: Unicode worm?
From: "Kurt Seifried" <bugtraq () seifried org>
Date: Wed, 21 Aug 2002 23:45:02 -0600
I've noticed some activity on a couple of web servers which I'm trying
to
find an explanation for. It's been happening for about 2 months. Here's
a
log snippet : [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.exe'
I've got these requests going back to May, beyond that I'd have to uncompress logs but who cares. If I grep for "255" and/or ".." and "cmd.exe"... well.. yeah. lots and lots of entries. It's code red/blue/green/god knows what and Nimda and lord knows what else. Make sure your servers are patched before they go online and if you're like me find someone nice to have dinner with and forget about it. There are much better things to do in life then worrying about the latest (or not so latest) windows worm. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
- Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
- Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
- Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)
- Re: Unicode worm? Soeren Ziehe (Aug 21)