[Dshield] IIS Logs

Erick Brockway ebrockway at earthlink.net
Sat Mar 30 06:43:37 GMT 2002


        Well, perl ran the bit you posted, but didn't send. Not that I saw
anyway. The script I'm using has the following for a trigger;

use LWP::UserAgent;

$|++;

@NIMDA_attacks = ("MSADC/root.exe",
                  "c/winnt/system32/cmd.exe",
                  "d/winnt/system32/cmd.exe",
                  "scripts/..%255c../winnt/system32/cmd.exe",

"_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe",

"_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe",

"msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe",
                  "scripts/..%c1%1c../winnt/system32/cmd.exe",
                  "scripts/..%c0%2f../winnt/system32/cmd.exe",
                  "scripts/..%c0%af../winnt/system32/cmd.exe",
                  "scripts/..%c1%9c../winnt/system32/cmd.exe",
                  "scripts/..%%35%63../winnt/system32/cmd.exe",
                  "scripts/..%%35c../winnt/system32/cmd.exe",
                  "scripts/..%25%35%63../winnt/system32/cmd.exe",
                  "scripts/..%252f../winnt/system32/cmd.exe",
                  );
        All of which I added I think the bottom 7 lines to update it with
the more recent Get requests.
        The full script is here;
http://kickerrick.servebeer.com/scripts/root.txt
          Yours if you want to see what it does is here;
http://kickerrick.servebeer.com/default.ida

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
John Hardin
Sent: Friday, March 29, 2002 9:27 AM
To: DShield mailing list
Subject: RE: [Dshield] IIS Logs


Here's one possibility.

httpd.conf:    AddHandler cgi-script .ida

Perl script named default.ida in the webserver root:

-snipped for brevity-




More information about the list mailing list