|A New Hacking Exploit?|
Java UA asking for bizarre Windows executable
| 2:22 am on Dec 1, 2003 (gmt 0)|
Hi guys & gals,
I just got a single log entry from Canada looking to execute a ASP program on my site. The directory structure in the URL request is somewhat reminscient of older windows attacks (NIMDA, et. al.)...
Considering that my site never makes a call for PHP, ASP, etc. and has never made them in the past, I suspect that the below call for a ASP file is premeditated and hostile. I searched webmasterworld for parts of the below string but found no entries other than a recent one about weird Java requests.
Anyone have any experience with the below requests and/or HSE in Toronto? Cheers!
Originating IP: 126.96.36.199 (HSE, 220 Simcoe, Toronto, Canada)
| 2:55 am on Dec 1, 2003 (gmt 0)|
I wouldn't worry too much.
I'd say it's most likely just a scanning bot looking for potential systems that could be hacked into. Yours is just one of 1000s that will have been searched as the bot performs its duties. It'll go around the web scanning for potential targets, so its master can then play around once the hard work has been done. So long as that file does not exist on your server, you'll be fine.
Thats script kiddies for you.
| 3:24 am on Dec 1, 2003 (gmt 0)|
i saw him today too.
| 3:18 pm on Dec 1, 2003 (gmt 0)|
Thanks for the replies! I didn't worry too much about this hack attempt myself because my server (ASFAIK) cannot execute ASPs (i.e. it's not running IIS, Windows). However, I suspect there are a number of folks on WebmasterWorld that do. They are the ones who should take a closer look at whatever this Java-based URL exploit is trying to do.
Considering how quickly real infections cause multiple entries to appear in my log files, this is either the very beginning or not a terribly effective exploit.
Regardless, I'm going to report it to the abuse authorities in Canada. However, seeing how effective contacting ISPs has been for others pursuing more important matters, I wonder if I'm wasting my time fingering folks who attempt to hack my site. Oh well.
| 3:53 pm on Dec 1, 2003 (gmt 0)|
This is an old exploit - info here:
| 5:56 pm on Dec 1, 2003 (gmt 0)|
... so old that it didn't even show in the WebmasterWorld search results... I should have known better, considering that the originating network seems to be the University of Toronto HSE system. Script-kiddies...
On the other hand, how many IIS server out there are run by clueless admins that do not delete the sample files? Even a very low percentage of vulnerable Windows machines would quickly multiply into a large number.