Security Incidents mailing list archives

RE: Unicode worm?

From: "Larsen, Colin" <colin.larsen () nz unisys com>
Date: Thu, 22 Aug 2002 14:26:50 +1000

I get this every day. Usually in batches of 8 to 16 probes. Mostly from
China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
university!)I figure its a fact of life that anything attached to the big
wide world is gonna get shot at.

Colin.

-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Thursday, 22 August 2002 4:01 p.m.
To: incidents () securityfocus com
Subject: Re: Unicode worm?


Soeren, Keith:

On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:

In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
   Turner, Keith (Contractor)  <TurnerL () tea-emh1 army mil> wrote:

[08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
not complete after one pass. Request will be rejected.  Site
Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
xe'


I'm seeing the same requests.


I've recently seen several single-payload packet probes of the form:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x36AEB784  Ack: 0x71FD0774  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 0D 0A 69 72 0D 0A                 c+dir..ir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

These have source IP's _not_ within my class B, or A; very quick,
typically six to nine packets for the total transaction, and they're gone.


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
  - Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
  - Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
  - Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)