RE: Unicode worm?

From: Larsen, Colin (colin.larsenat_private)
Date: Wed Aug 21 2002 - 21:26:50 PDT

Next message: Dean White: "Re: Unicode worm?"

Previous message: John Sage: "Re: Unicode worm?"
Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
Next in thread: Dean White: "Re: Unicode worm?"
Reply: Dean White: "Re: Unicode worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I get this every day. Usually in batches of 8 to 16 probes. Mostly from
China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
university!)I figure its a fact of life that anything attached to the big
wide world is gonna get shot at.

Colin.

-----Original Message-----
From: John Sage [mailto:jsageat_private]
Sent: Thursday, 22 August 2002 4:01 p.m.
To: incidentsat_private
Subject: Re: Unicode worm?


Soeren, Keith:

On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:
> In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
>    Turner, Keith (Contractor)  <TurnerL@tea-emh1.army.mil> wrote:
> 
> > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
> > not complete after one pass. Request will be rejected.  Site
> > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
> > xe'
> 
> I'm seeing the same requests.

I've recently seen several single-payload packet probes of the form:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x36AEB784  Ack: 0x71FD0774  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 0D 0A 69 72 0D 0A                 c+dir..ir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

These have source IP's _not_ within my class B, or A; very quick,
typically six to nine packets for the total transaction, and they're gone.


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dean White: "Re: Unicode worm?"
Previous message: John Sage: "Re: Unicode worm?"
Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
Next in thread: Dean White: "Re: Unicode worm?"
Reply: Dean White: "Re: Unicode worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 21:28:54 PDT