Security Basics mailing list archives

RE: Unusual Activity

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Mon, 16 Feb 2004 10:25:44 -0800

Most likely a scan, kinda looks like something Nimba would do. Could
also be someone trying to exploit your feedback page for use as a open
relay. They are looking for one windows file and some *NIX files. The
last line is them trying to get cat output from your passwd file. Block
the IP/netblock. And do a through scan of your log files.


Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338
-----Original Message-----
From: Graydon McKee [mailto:graydon.s.mckee.iv () orcmacro com] 
Sent: Friday, February 13, 2004 8:45 AM
To: security-basics () securityfocus com
Subject: Unusual Activity


Hello All, 
            I'm seeing some unusual activity.  One of our web servers it
sending emails via a feedback page that proport to come from
333-333-3333test () test999 com.  These messages have various things in the

From Field:

From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> 
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> 
From: "\\\\'/bin/cat /etc/passwd\\\\'" <>

88 of these messages were generated in under a minute so I'm pretty sure
that someone is running a script against this page but I am having
problems finding out exactly what is being run and what exploit is being
looked for.  Something tells me that this should be pretty simple but
for some reason I can't put my finger on it.  Does anyone have any ideas
or suggestions that would help me out here?  

Thanks

Graydon S McKee IV - GSEC
Firewall/Security Administrator
ORC Macro - Macro International
11785 Beltsville Drive
Calverton, Maryland 20705
301-572-0583 Fax: 301-572-0982

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)