Re: [logs] nimda web server logs

[quentyn () fotango com]

"Jay D. Dyson" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 11 Jun 2002, Sweth Chandramouli wrote:
>
> > > Here's what I'm seeing -- anyone have any information on this variant?
> > > /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b
> > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam
> > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam

how many hits per IP ? I have something similar but from only 1 IP with
2k + alerts (across all our sites) - I have just dome some checking and
it appears to be very consistent with 709 connections per site ( using
apache logs rather then snort logs for the connection attempts).

same IP was also looking for a file called "galaxy_25684.26030" but I
don't see requests for *.cif at all. The number in the file name appears
to increment as well ( both numbers).

I have also seen requests for (from the same IP) 

 /adsamples/check.bat/..À¯..À¯..À¯winnt/system32/cmd.exe

curious,

looking in the denied packet logs I also see loads of denied connection
attempts from this IP at the same time to port 80 on our whole range (ie
scanning for web servers) as well as 2 netbios requests 7hrs later.... 


Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
and you're going to burn in hell. The other is that sex is the most
awful, filthy thing on earth. And you should save it for someone you
love.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com