From owner-freebsd-isp Sat Apr 7 7:29:42 2001 Delivered-To: freebsd-isp@freebsd.org Received: from www.golsyd.net.au (golsyd.net.au [203.57.20.1]) by hub.freebsd.org (Postfix) with ESMTP id 1C75637B423 for ; Sat, 7 Apr 2001 07:29:40 -0700 (PDT) (envelope-from kaltorak@quake.com.au) Received: from [203.164.12.28] by www.quake.com.au (NTMail 4.30.0012/AB6169.63.5724aadf) with ESMTP id ecvaaaaa for ; Sun, 8 Apr 2001 00:29:57 +1000 Message-ID: <3ACF2531.49B7CC17@quake.com.au> Date: Sun, 08 Apr 2001 00:33:21 +1000 From: Kal Torak X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Jim Weeks Cc: freebsd-isp@freebsd.org Subject: Re: Look familiar? References: <3ACF1957.E9177B52@siteplus.net> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Weeks wrote: > > While checking one of my apache error logs this morning, I find a long > list of the following error. > I was wondering if it makes sense to anyone? I am especially curious > about characters "À¯". > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > exist: > /usr/local/www/data/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > exist: > /usr/local/www/data/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe Looks like some sort of buffer overflow attack, and they are then trying to spawn the cmd shell (if you can even call it a shell)... Since your unix system is not windows, even if the buffer overflow worked they sure wouldnt be able to run cmd.exe :P Obviously this is one of the great new holes in NT + ISS that are found every second day... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message