From owner-freebsd-isp Sat Apr 7 8:14:25 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail1.bna.bellsouth.net (mail1.bna.bellsouth.net [205.152.150.13]) by hub.freebsd.org (Postfix) with ESMTP id 99A6737B422 for ; Sat, 7 Apr 2001 08:14:22 -0700 (PDT) (envelope-from jim@siteplus.net) Received: from veager.siteplus.net (host-208-60-234-31.cha.bellsouth.net [208.60.234.31]) by mail1.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id LAA27206; Sat, 7 Apr 2001 11:14:16 -0400 (EDT) Date: Sat, 7 Apr 2001 11:14:04 -0400 (EDT) From: Jim Weeks To: Kal Torak Cc: Walter Hop , freebsd-isp@FreeBSD.ORG Subject: Re: Look familiar? In-Reply-To: <3ACF2531.49B7CC17@quake.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the quick response. =20 I am not familiar with ISS, so I wasn't sure if this was a known attack ploy. I have had a few other file not found errors that look suspicious as well as this sendmail error. Apr 4 00:19:57 aurora sendmail[8764]: AAA08756: Truncated MIME Content-Disposition header due to field size (possible attack)=20 -- Jim Weeks On Sun, 8 Apr 2001, Kal Torak wrote: > Jim Weeks wrote: > >=20 > > While checking one of my apache error logs this morning, I find a long > > list of the following error. > > I was wondering if it makes sense to anyone? I am especially curious > > about characters "=C0=AF". > >=20 > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > > exist: > > /usr/local/www/data/scripts/..=C0=AF..=C0=AF..=C0=AF..=C0=AF..=C0=AF..= =C0=AF..=C0=AF..=C0=AF/winnt/system32/cmd.exe > >=20 > > [Sat Apr 7 05:55:02 2001] [error] [client 207.31.75.150] File does not > > exist: > > /usr/local/www/data/scripts/..=C0=AF..=C0=AF..=C0=AF..=C0=AF..=C0=AF..= =C0=AF..=C0=AF..=C0=AF/winnt/system32/cmd.exe >=20 >=20 > Looks like some sort of buffer overflow attack, and they are then trying > to spawn the cmd shell (if you can even call it a shell)... >=20 > Since your unix system is not windows, even if the buffer overflow worked > they sure wouldnt be able to run cmd.exe :P > Obviously this is one of the great new holes in NT + ISS that are found > every second day... >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message