On Thu, 30 Aug 2001, ^^ sang sang wrote: > 1. traced for ip address What do you mean by this? You did a tracerouter to the attacker, or you're seeing something else? <snip> > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X GET /scripts/root.exe > /c+dir+c:\ 404 - > 2001-08-27 01:41:39 210.92.26.120 – X.X.X>.X 80 GET > /c/winnt/system32/cmd.exe /c+dir+c:\ 404 - > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET > /d/winnt/system32/cmd.exe /c+dir+c:\ 404 - > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /msadc/root.exe > /c+dir+c:\ 404 - > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET > /c/inetpub/scripts/root.exe /c+dir+c:\ 404 - > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X80 GET > /d/inetpub/scripts/cmd.exe /c+dir+c:\ 404 - There are lots of scrips that try these variations. Some of these are probably Unicode attempts. Those have been going on forever. The root.exe ones are probably looking for CodeRed II infected boxes, or boxes that were broken into previously. > 2001-08-27 01:41:39 210.92.26.120 – X.X.X.X 80 GET /x.ida > VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV=X > 200 - Note that this one isn't long enough to set of the overflow... but it will check if you are vulnerable. Well, assuming it was a valid request, it would. There should be a ? after the /x.ida, but you've got a space. In any case, there's not quite enough information here to suggest a new worm yet. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 11:02:07 PDT