Forum Moderators: phranque
64.229.96.213 - - [04/Nov/2003:06:00:35 -0800] "GET /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp HTTP/1.1" 403 480 "-" "Java/1.4.1_02"
64.229.96.213 - - [04/Nov/2003:06:00:35 -0800] "GET /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp HTTP/1.1" 403 480 "-" "Java/1.4.1_02"
64.229.96.213 - - [04/Nov/2003:06:00:35 -0800] "GET /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp HTTP/1.1" 403 480 "-" "Java/1.4.1_02"
64.229.96.213 - - [04/Nov/2003:06:00:35 -0800] "GET /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp HTTP/1.1" 403 480 "-" "Java/1.4.1_02"Did a bit of digging and found these two mentions.
http*//atstake.com/research/advisories/1999/showcode.txt
http*//lists.virus.org/dshield-0211/msg00238.html
I'm not too concerned with the Java or the fact that they've already received a healthy 403.
Would just like to understand the whole picture.
Thanks.
Pendanticist.
i know that the showcode.asp url is a method to gain access to a system where an iis webserver is running (reading files) - it's very old.
i would assume that it is a scan wether the system accessable that way or not. so i would take number 4 ;).
but it's hard to say wether it is a virus, a script or a 'real person' who is trying.
never the less, if showcode.asp is located on that server, remove it or better: update iis and remove the whole (mdac) samples.
- hakre
I think that's something my host server handles, as I know very little about them and therefore can not delete or rename.
Since I have no aps pages then I gather there isn't much for me to worry about...
Long as it isn't viral in nature, I'm good-to-go.
Pendanticist.
