Security Incidents mailing list archives

Re: Which webserver exploit is this?

From: Michael Cook <michael () INK ORG>
Date: Sun, 23 Jul 2000 15:42:11 -0500

On Sat, 22 Jul 2000, Matthew Breitenstine wrote:

his.ip.net - - [16/Jul/2000:20:21:10 -0500] "http://%a:%p/,HEAD /" 501 -


I have a similar entry appearing several days ago.  It accompanied a very
noisy port scan (did a full connect scan to a wide range of ports on every
IP).  I figured it was a misconfigured script being executed by some
k1ddi3z, with the %a and %p being substitute variables, like address and
port.  I'm curious if anyone else knows what it is.

--
Michael Cook (michael () ink org) http://www2.ink.org/~michael/

Ignorance is bliss; log to /dev/null.

Current thread:

Which webserver exploit is this? Jaap (Jul 22)
- <Possible follow-ups>
- Re: Which webserver exploit is this? The Incubus (Jul 24)
- Re: Which webserver exploit is this? Michael Cook (Jul 24)
  - Re: Which webserver exploit is this? Richard Bartlett (Jul 24)
- Re: Which webserver exploit is this? bruj0 Gandalf (Jul 25)
- Which webserver exploit is this? CLEARY Tom <Con> (Jul 25)
- Re: Which webserver exploit is this? Fredrik Ostergren (Jul 26)