WORM FORENSICS?

[Technical Support <bob () dexis net>]

I have just investigated a server that attacked me.

Here is what I found:

It appears that the servers are keeping a log of the results.
My server logs show that an attempt was made:

[18/Sep/2001:12:37:43 -0700] "from 207.104.210.242" "GET <clip>  HTTP/1.0" 
404 56 "- -> /scripts/<clip>/system32/cmd.exe" "User-Agent=-" "port: 80

Since I saw that I was attacked at 12:37, I went to the attacker site and 
listed the directory and discovered what appears to be a log of all the 
attempts.

As can be seen, the log 09/18/01  12:37p                     0 TFTP9513
has a zero byte length which seems to indicate that it failed, since I am 
running Apache.

If all those other logs are 57,344 each, then there appears to be many more 
MSII servers out there than I expected and these logs appear to have 
information which appears to be success data.

I feel that any server attacking another is fair game to publish data about it.

Bob



http://207.104.25.194/scripts/root.exe?/c+dir%20"c:\InetPub\scripts";

The directory listing is included in the attached ZIP file

Attachment: 207-104-25-194.zip
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com