[Dshield] Unusual log activity - any ideas?

Preston G. Simpson preston.simpson at sfrlaw.com
Wed May 1 14:56:59 GMT 2002


	This is kind of a new one for me.
	I've been working on a project examining HTTP logs for a few websites 
and looking at attack patterns. I've noticed something unusual about a few 
of them I found online.
	The excerpt is quite long, so I won't post it here in its entirety, but
here are a few of the salient points:

xxx.xxx.xxx.xxx [03/Apr/2002:09:35:05 -0500] "HEAD
/qweiop43809442fsfjflr.html HTTP/1.1" 404 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:06 -0500] "GET /NULL.printer
HTTP/1.1" 404 288 "-" "-"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:06 -0500] "GET / HTTP/1.1" 200 761
"-" "-"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD /../../etc/passwd
HTTP/1.1" 400 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD
/../../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD
/../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD
/../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD /../../passwd
HTTP/1.1" 400 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:08 -0500] "HEAD /../../shadow
HTTP/1.1" 400 0 "-" "Mozilla/5.0"

	Nothing special. Looks like someone's twisting the knob on a *nix box.
But wait:

xxx.xxx.xxx.xxx - - [03/Apr/2002:09:48:26 -0500] "HEAD
/Cgi-Bin/cmd32.exe?/c+dir HTTP/1.1" 404 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:48:34 -0500] "HEAD
/Cgi-Bin/cmd32.exe?/c+dir HTTP/1.1" 404 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:48:58 -0500] "HEAD /cgi-bin/cmd.exe
HTTP/1.1" 404 0 "-" "Mozilla/5.0"
xxx.xxx.xxx.xxx - - [03/Apr/2002:09:48:58 -0500] "HEAD /Cgi-Bin/cmd.exe
HTTP/1.1" 404 0 "-" "Mozilla/5.0"

	Hm? Requests for cmd.exe and cmd32.exe? In the middle of a bunch of
*nix-specific requests?

	All of this activity was logged over the course of 17 minutes or so,
and might just have been somebody running a few canned scripts against a
site, hoping for a break. The only problem is that I've seen the same
(or nearly the same) sequence run against another host a few minutes after 
the one I posted above. Again, the sequence takes about 17 minutes to run. 
I can send the full excerpt to interested parties, but I want to know if 
there's something hellishly obvious about this that I'm missing.




More information about the list mailing list