This is an impromptu tutorial on tracing skiddiots - because I just found one in our logs:
I'm sure we all recoginse the cook-book directory traversal explot attempted here (which failed btw). So it's a kiddiot. Let's take a quick trip to www.samspade.org :ClientHost LogTime Service Machine
-------------------------------------------------------------------------------
199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERV
ServerIP Target Parameters
----------------------------------------------------------------------------
xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir
So the kiddiot is (probably) a student at University of Virginia. A nasty letter to the Netblock administartor will mean that's one kiddiot who's in for a nasty shock monday morningTrying whois -h whois.arin.net 199.111.104.201
VERnet (NETBLK-VERNET-CIDR1)
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
US
Netname: NETBLK-VERNET-CIDR1
Netblock: 199.111.0.0 - 199.111.255.255
Maintainer: VER
Coordinator:
Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU
(804) 924-0616
Domain System inverse mapping provided by:
UVAARPA.VIRGINIA.EDU 128.143.2.7
JUNO.ACC.VIRGINIA.EDU 128.143.22.119
Record last updated on 05-Apr-1994.
Database last updated on 14-Jun-2002 20:01:02 EDT.Word Up - and the word was 'busted'.
Hi --
You are listed as the admin contact for the Netblock: 199.111.0.0 - 199.111.255.255
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line.
I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be 'l33t' - perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism.
Regards,
