Security Basics mailing list archives
RE: Unusual Activity
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Mon, 16 Feb 2004 10:25:44 -0800
Most likely a scan, kinda looks like something Nimba would do. Could also be someone trying to exploit your feedback page for use as a open relay. They are looking for one windows file and some *NIX files. The last line is them trying to get cat output from your passwd file. Block the IP/netblock. And do a through scan of your log files. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Graydon McKee [mailto:graydon.s.mckee.iv () orcmacro com] Sent: Friday, February 13, 2004 8:45 AM To: security-basics () securityfocus com Subject: Unusual Activity Hello All, I'm seeing some unusual activity. One of our web servers it sending emails via a feedback page that proport to come from 333-333-3333test () test999 com. These messages have various things in the
From Field:
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> From: "\\\\'/bin/cat /etc/passwd\\\\'" <> 88 of these messages were generated in under a minute so I'm pretty sure that someone is running a script against this page but I am having problems finding out exactly what is being run and what exploit is being looked for. Something tells me that this should be pretty simple but for some reason I can't put my finger on it. Does anyone have any ideas or suggestions that would help me out here? Thanks Graydon S McKee IV - GSEC Firewall/Security Administrator ORC Macro - Macro International 11785 Beltsville Drive Calverton, Maryland 20705 301-572-0583 Fax: 301-572-0982 --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)