Hi, i just noticed some Codered similar attacks on our web server which seem to have more headers : 1. 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 65.94.25.135 - - - 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1 65.94.25.135 - - - Sent packet show : GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 Host: 65.94.25.135 Connection: keep-alive Accept: */* X-Forwarded-For: 212.179.220.111 Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) The proxy is relaying itself ? not much sense The worm generated header on-the-fly ? 2. 2002-06-26 03:00:38 80.15.26.241 - 192.168.100.2 80 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 2526 394 0 HTTP/1.1 65.94.25.135 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+KITV4.7+Wanadoo) - - This one have a User Agent in it, would it be someone scanning for codered / nimda infected boxes ? I did not see any with a Proxy ou User-agent headers yet, maybe i'm just not well informed ;-) Thanks for any tip --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime@pandore-design.com Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 17:49:44 PDT