[Dshield] nimda-like scanning?

Kelly Martin kellym at fb00.fb.org
Tue Mar 26 21:01:54 GMT 2002


Just noticed the following in my system logs.

First, a segment of an Apache log on one of our web servers:

80.128.246.185 - - [26/Mar/2002:13:59:03 -0600] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
80.128.246.185 - - [26/Mar/2002:13:59:03 -0600] "GET
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246
80.128.246.185 - - [26/Mar/2002:13:59:07 -0600] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
80.128.246.185 - - [26/Mar/2002:13:59:07 -0600] "GET
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246
80.128.246.185 - - [26/Mar/2002:13:59:08 -0600] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
80.128.246.185 - - [26/Mar/2002:13:59:08 -0600] "GET
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246

Second, the output of my portscan detector (which works by parsing my PIX's
deny log):

Tue Mar 26 13:59:28 2002 scanning complete from 80.128.246.185, 5067 hits in
104 seconds (471 hosts, 1 ports [TCP:80])

The IP belongs to t-dialin.net, which is probably only second to wanadoo.fr
in proportion of native scriptkiddies.

Judging by these numbers, I'd say both of my Class C's were scanned rather
noisily (5067 hits in 104 seconds?) for vulnerable IIS servers.

Anyone else seen this sweep across them?

Kelly




More information about the list mailing list