Curious Code Red Behavior with Star Office HTTPd

["Tim" <webmaster () crazy-horse net>]

While going through my logs I happened to notice an AOL address and decided
I would check and see whether it was someone on AOL or an AOL server itself.
Luckily it was some poor soul using AOL rather than the company actually
having a Code Red problem. That aside I noticed one very curious aspect of
the webserver while I was just playing around throwing commands at it. Up
till now I have seen problems with Cisco, and IIS. I thought I should report
this as I have not read anywhere that StarOffice HTTP Server was vulnerable.

log of attack:
---------------
172.177.28.x - - [06/Aug/2001:06:55:57 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 210 "-" "-"

Nothing unusual there....
Check out the 404 while i was testing for the Trojan aspect of the newer
variant:
----------
HTTP Error 404
404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")


----------------------------------------------------------------------------
----

Generated by StarOffice HTTP Server 1.0


Anyone else seen any other attacks generating from StarOffice or is this
just a freak incident? I haven't reported this to Sun as I'm not 100% it's
the StarOffice that attacked me earlier, they could have switched HTTPd's
since then. If anyone has StarOffice installed and would check it would
clear this up.

Thanks,
Tim