homepage Welcome to WebmasterWorld Guest from 54.197.94.241
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

    
A New Hacking Exploit?
Java UA asking for bizarre Windows executable
Constantin




msg:899552
 2:22 am on Dec 1, 2003 (gmt 0)

Hi guys & gals,

I just got a single log entry from Canada looking to execute a ASP program on my site. The directory structure in the URL request is somewhat reminscient of older windows attacks (NIMDA, et. al.)...

Considering that my site never makes a call for PHP, ASP, etc. and has never made them in the past, I suspect that the below call for a ASP file is premeditated and hostile. I searched webmasterworld for parts of the below string but found no entries other than a recent one about weird Java requests.

Anyone have any experience with the below requests and/or HSE in Toronto? Cheers!

Originating IP: 64.229.96.33 (HSE, 220 Simcoe, Toronto, Canada)
URL Requested:
~/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp,
UA: Java/1.4.1_02,

 

jpjones




msg:899553
 2:55 am on Dec 1, 2003 (gmt 0)

I wouldn't worry too much.

I'd say it's most likely just a scanning bot looking for potential systems that could be hacked into. Yours is just one of 1000s that will have been searched as the bot performs its duties. It'll go around the web scanning for potential targets, so its master can then play around once the hard work has been done. So long as that file does not exist on your server, you'll be fine.

Thats script kiddies for you.

onedumbear




msg:899554
 3:24 am on Dec 1, 2003 (gmt 0)

i saw him today too.

Constantin




msg:899555
 3:18 pm on Dec 1, 2003 (gmt 0)

Hi Everyone,

Thanks for the replies! I didn't worry too much about this hack attempt myself because my server (ASFAIK) cannot execute ASPs (i.e. it's not running IIS, Windows). However, I suspect there are a number of folks on WebmasterWorld that do. They are the ones who should take a closer look at whatever this Java-based URL exploit is trying to do.

Considering how quickly real infections cause multiple entries to appear in my log files, this is either the very beginning or not a terribly effective exploit.

Regardless, I'm going to report it to the abuse authorities in Canada. However, seeing how effective contacting ISPs has been for others pursuing more important matters, I wonder if I'm wasting my time fingering folks who attempt to hack my site. Oh well.

bcolflesh




msg:899556
 3:53 pm on Dec 1, 2003 (gmt 0)

This is an old exploit - info here:

atstake.com/research/advisories/1999/showcode.txt

Constantin




msg:899557
 5:56 pm on Dec 1, 2003 (gmt 0)

... so old that it didn't even show in the WebmasterWorld search results... I should have known better, considering that the originating network seems to be the University of Toronto HSE system. Script-kiddies...

On the other hand, how many IIS server out there are run by clueless admins that do not delete the sample files? Even a very low percentage of vulnerable Windows machines would quickly multiply into a large number.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved