Security Incidents mailing list archives
Re: Someone looking for CodeRed infected boxes ?
From: Cliff Albert <cliff () oisec net>
Date: Thu, 27 Jun 2002 08:20:44 +0200
On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote:
2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 65.94.25.135 - - - 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1 65.94.25.135 - - - Sent packet show : GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 Host: 65.94.25.135 Connection: keep-alive Accept: */* X-Forwarded-For: 212.179.220.111 Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) The proxy is relaying itself ? not much sense The worm generated header on-the-fly ?
The NetCache proxyserver is a Hardware-base proxyserver from NetApp which usually runs in transparent mode. Thus also proxying nimda/codered runs. -- Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ cliff () oisec net | 6BONE: CA2-6BONE | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 26)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Maxime Ducharme (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Joao Gouveia (Jun 28)
- Re: Someone looking for CodeRed infected boxes ? Cliff Albert (Jun 27)