Curious Code Red Behavior with Star Office HTTPd
From: Tim (webmaster@crazy-horse.net)Date: 08/06/01
- Previous message: Maciek: "Re: slackware permissions"
- Next in thread: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Reply: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Reply: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <002e01c11ebb$a3d8b310$9865fea9@aspect1> From: "Tim" <webmaster@crazy-horse.net> To: <vuln-dev@securityfocus.com> Subject: Curious Code Red Behavior with Star Office HTTPd Date: Mon, 6 Aug 2001 17:06:19 -0400
While going through my logs I happened to notice an AOL address and decided
I would check and see whether it was someone on AOL or an AOL server itself.
Luckily it was some poor soul using AOL rather than the company actually
having a Code Red problem. That aside I noticed one very curious aspect of
the webserver while I was just playing around throwing commands at it. Up
till now I have seen problems with Cisco, and IIS. I thought I should report
this as I have not read anywhere that StarOffice HTTP Server was vulnerable.
log of attack:
---------------
172.177.28.x - - [06/Aug/2001:06:55:57 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 210 "-" "-"
Nothing unusual there....
Check out the 404 while i was testing for the Trojan aspect of the newer
variant:
----------
HTTP Error 404
404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")
----------------------------------------------------------------------------
----Generated by StarOffice HTTP Server 1.0
Anyone else seen any other attacks generating from StarOffice or is this just a freak incident? I haven't reported this to Sun as I'm not 100% it's the StarOffice that attacked me earlier, they could have switched HTTPd's since then. If anyone has StarOffice installed and would check it would clear this up.
Thanks, Tim
- Previous message: Maciek: "Re: slackware permissions"
- Next in thread: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Reply: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Reply: Ray Simard: "Re: Curious Code Red Behavior with Star Office HTTPd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
