If my memory serves me right, I was seeing these entries on my apache servers at the same time as I was seeing the sadmin worm trying to do the unicode traversals on my IIS boxes. I believe it's a way to judge the server running on the machine. For example, From apache: 207.239.238.36 - - [12/Jul/2001:21:29:54 -0400] "GET x HTTP/1.0" 400 333 From IIS (the time on IIS is UTC): 01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 - 01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 - 01:29:55 207.239.238.36 - WEBMAIL01 GET /scripts/..?%pc../winnt/system32/cmd.exe 403 - 01:29:55 207.239.238.36 - WEBMAIL01 GET /scripts/..?%9v../winnt/system32/cmd.exe 403 - 01:29:55 207.239.238.36 - WEBMAIL01 GET /scripts/..?%qf../winnt/system32/cmd.exe 403 - 01:29:55 207.239.238.36 - WEBMAIL01 GET /scripts/..?%8s../winnt/system32/cmd.exe 403 - The interesting thing was that I wasn't seeing these "GET x" logged on the IIS boxes... I just ran a test. ----------------------------------------- GET x HTTP/1.1\r\n HTTP/1.1 400 Bad Request\r\n Server: Microsoft-IIS/4.0\r\n Date: Tue, 24 Jul 2001 15:27:46 GMT\r\n But nothing is logged. ------------------------------------------ GET /x HTTP/1.1\r\n HTTP/1.1 404 Object Not Found\r\n Server: Microsoft-IIS/4.0\r\n Date: Tue, 24 Jul 2001 15:28:18 GMT\r\n This one logs an error: 15:28:18 10.1.1.62 - WEBMAIL01 GET /x 404 - ------------------------------------------ I find that IIS logging leaves much to be desired... HTH -Gary- -----Original Message----- From: Greg Owen [mailto:gowenat_private] Sent: Monday, July 23, 2001 9:20 PM To: incidentsat_private Subject: GET x HTTP/1.0 Two of these showed up in my web server logs today: 202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328 202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328 inetnum 202.100.68.0 - 202.100.68.255 netname FEITIAN-INTERNET-COMPANY descr Feitian Internet Company descr Lanzhou,Gansu descr China country CN inetnum 202.99.64.0 - 202.99.127.255 netname CHINANET-TJ descr CHINANET Tianjin province network descr Data Communication Division descr China Telecom country CN A quick google search showed one other person wondering what it was and commenting they mostly seemed to be china, and a bunch of server logs that showed the same hit. Anybody know what this is? The source makes me wonder. -- gowen -- Greg Owen -- gowenat_private 79A7 4063 96B6 9974 86CA 3BEF 521C 860F 5A93 D66D ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:56:10 PDT