Re: IIS exploit attempt?

[Michael Katz <mike () RESPONSIBLE COM>]

On Wednesday, May 02, 2001 11:13 AM, Sven Brill wrote:

> I tried asking a couple of people about this, but none of them had a clue
> what this could be, so one person referred me to this list.
> going through my apache logs at home (setup is a Linux kernel 2.2.17 and
> apache, standard mandrake 7.2 installation with security updates), i found
> some strange GET requests, pasted here. Does anyone have an idea what this
> person might have tried? Is it something new?
<SNIP>
> -------
> excerpt from apache acces_log:
>
> proxy2.rockingham.k12.va.us - - [02/May/2001:10:52:52 -0400] "GET
> /scripts/rgs/RgsInit.ASP?AW=202&LV=2047&AS=0&D2=%32_OACS%32%32%32%

<snip>

Sven,

The log entries do not appear to be an exploit attempt against IIS or any other application.

It appears to be related to software looking to pull down ads.  See 
http://archives.neohapsis.com/archives/iss/2001-q2/0031.html and 
http://www.adzu.edu.ph/squid/mail-archive/squid-users/200104/0376.html and 
http://www.adzu.edu.ph/squid/mail-archive/squid-users/200104/0361.html.

One of the messages points to the Babylon online translator as the source of the log entries.

Hope that helps.

Michael Katz
Responsible Solutions, Ltd.
mike () responsible com