Questions[vulnerabilities](server)

Is there a way in Windows to check that say Security Bulletin MS**-*** or CVE-****-***** has been patched? e.g. something akin to RedHat's rpm -q --changelog service

Windows 2008 R2 SP1

I assume this is some type of hacking attempt. I've try to Google it but all I get are sites that look like they have been exploited already.

I'm seeing requests to one of my pages that looks like this.

/listMessages.asp?page=8&catid=5+%28200+ok%29+ACCEPTED

The '(200 ok) ACCEPTED' is what is odd. But it does not appear to do anything.

I'm running on IIS 5 and ASP 3.0. Is this "hack" meant for some other type of web server?

Edit:

Normal requests look like:

/listMessages.asp?page=8&catid=5

I was recently asked 'What causes a line like this in our access.log?'

59.56.109.181 - - [22/Feb/2010:16:03:35 -0800] "GET http://www.google.com/ HTTP/1.1" 200 295 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"

My immediate answer is that's someone exploring something a little devious.

But:

• how? Speculation... a short perl or python script could easily connect and ask for a URL with an invalid host.
• Vulnerabilities? What is someone looking for when they do this, what have they learned, and should we patch it?
• Do I need a tin-foil hat to keep them from reading my mind?
• And for me the real question: Shouldn't that be a 404 response, not a 200!?

This is on a standard LAMP server (Ubuntu).

Quick question for you all - fairly frequently in my httpd logs I see things like this:

66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /roundcube//bin/msgimport HTTP/1.1" 404 417 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /rc//bin/msgimport HTTP/1.1" 404 413 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /mss2//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail2//bin/msgimport HTTP/1.1" 404 416 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 420 "-" "Toata dragostea mea pentru diavola"
...

You get the idea, a vulnerability scanning script. As I don't install my web apps to standard or even remotely named installs I nearly always return 404s, but it is still irritating to watch. So my question is, is there a way to detect/mitigate such attacks, perhaps using mod_rewrite and known blocklists etc? Or is this something web server admins simply have to put up with?

Thanks.

from: http://seclists.org/fulldisclosure/2009/Jul/0388.html

If I understand it best from the posts from: http://news.ycombinator.com/item?id=723798 the Matasano guys left sshd internet accessible - any proposed solutions for this (from a programming point-of-view) ?