I was wondering if anyone on the list has had their website hit by the notorious
'_pimpshiz_'.
Here are some logs from the 'penetrated' webserver.
23:55:35 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx HEAD /i.txt - 404
2 143 136 10 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - -
23:55:37 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /index.asp -
200 0 17258 130 1833 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - -
23:55:39 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx PUT /i.txt - 201
0 276 218 300 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 -
23:55:45 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /i.txt - 200
0 264 339 360 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
-
23:55:51 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /index.asp -
200 0 17488 334 1662 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
-
23:55:54 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /graphics/tab_athome.off.gif
- 200 0 492 266 420 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;
We are running the latest version of iis.
Sorry for the lack of details on the actual web server , I will provide
more info in the next few days.
I basically wanted to post the logs of the attack to see if anyone has seen
this type of pattern ( eg. looking for the i.txt file, then putting it on
the webserver etc..)
Any feedback would definately help out , and once again I will post more
info regarding this.
Thanks,
-rewtkits
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
Received on Oct 04 2000
Intro
