Security Basics mailing list archives

Unusual Activity

From: "Graydon McKee" <graydon.s.mckee.iv () orcmacro com>
Date: Fri, 13 Feb 2004 11:45:28 -0500

Hello All, 
            I'm seeing some unusual activity.  One of our web servers it sending emails via a
feedback page that proport to come from 333-333-3333test () test999 com.  These messages have various
things in the From Field: 

From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> 
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> 
From: "\\\\'/bin/cat /etc/passwd\\\\'" <>

88 of these messages were generated in under a minute so I'm pretty sure that someone is running a
script against this page but I am having problems finding out exactly what is being run and what
exploit is being looked for.  Something tells me that this should be pretty simple but for some
reason I can't put my finger on it.  Does anyone have any ideas or suggestions that would help me
out here?  

Thanks

Graydon S McKee IV - GSEC
Firewall/Security Administrator
ORC Macro - Macro International
11785 Beltsville Drive
Calverton, Maryland 20705
301-572-0583 Fax: 301-572-0982

Attachment: Graydon McKee.vcf
Description:

Attachment: smime.p7s
Description:

Current thread:

Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)