Re: [logs] nimda web server logs

From: quentynat_private
Date: Thu Jun 13 2002 - 09:15:10 PDT

  • Next message: Baklarz, Ron: "RE: [logs] nimda web server logs"

    "Jay D. Dyson" wrote:
    > 
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    > 
    > On Tue, 11 Jun 2002, Sweth Chandramouli wrote:
    > 
    > > > Here's what I'm seeing -- anyone have any information on this variant?
    > > > /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b
    > > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam
    > > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam
    > > >
    >
    
    how many hits per IP ? I have something similar but from only 1 IP with
    2k + alerts (across all our sites) - I have just dome some checking and
    it appears to be very consistent with 709 connections per site ( using
    apache logs rather then snort logs for the connection attempts).
    
    same IP was also looking for a file called "galaxy_25684.26030" but I
    don't see requests for *.cif at all. The number in the file name appears
    to increment as well ( both numbers).
    
    I have also seen requests for (from the same IP) 
    
     /adsamples/check.bat/..À¯..À¯..À¯winnt/system32/cmd.exe
    
    curious,
    
    looking in the denied packet logs I also see loads of denied connection
    attempts from this IP at the same time to port 80 on our whole range (ie
    scanning for web servers) as well as 2 netbios requests 7hrs later.... 
    
    
    Q
    
    -- 
    #####################
    Quentyn Taylor
    Sysadmin - Fotango
    #####################
    and you're going to burn in hell. The other is that sex is the most
    awful, filthy thing on earth. And you should save it for someone you
    love.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 14:01:36 PDT