does anybody know such a log
Hello our reverse proxy picked this up 1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - 1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - 1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - 1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - 1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - 1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - 1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - 1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ./winnt/s Is there some new IIS/Windows worm spreading? Thanks, Philipp
Either that, or some script kiddie is trying out one of the many exploits on your site... not smart enough to realize that he's not hitting an IIS server. - Herman On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote: ->Hello -> ->our reverse proxy picked this up -> ->1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - ->1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - ->1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - ->1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET ->http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - ->1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET ->http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - ->1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - ->1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET ->http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - ->1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - ->1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET ->http://www/scripts/root.exe? - NONE/- - ->1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET ->http://www/MSADC/root.exe? - NONE/- - ->1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET ->http://www/c/winnt/system32/cmd.exe? - NONE/- - ->1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET ->http://www/d/winnt/system32/cmd.exe? - NONE/- - ->1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET ->http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - ->1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET ->http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - ->NONE/- - ->1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET ->http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - ->NONE/- - ->1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET ->http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ->./winnt/s -> ->Is there some new IIS/Windows worm spreading? -> ->Thanks, ->Philipp -> ->
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
Hello
our reverse proxy picked this up
[typical Nimda Code Red stuff] Is there some new IIS/Windows worm spreading?
New? How deep have you been sleeping during the last 14 months? The requests you see are typical Code Red and Nimda requests. http://www.google.de/search?q=msadc+Nimda&ie=UTF-8&oe=UTF-8&hl=de&btnG=Google-Suche&meta= You might like to tell you proxy to block these though the requests don't harm Apache. Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
If you check the time constraints between each attempted security circumvention scan; you will see that they are very close. Almost assuredly, it is from an automated vulnerability scanner. My guess would be that they probably are not using a Linux binary such as nessus, or ISS. Because they are obviously not educated enough to be able to determien a win32 system from a Linux box?! Figures! None of the posted vulnerabilities are recent. add them to hosts.deny..and send an email to their ISP at registry@isp.iberbanda.es,ricardo.ponce@iberbanda.es, or maybe abuse@iberbanda.es. HTH. Thomas Jones i-Null.com Network Administrator On Thursday 10 October 2002 17:11, mailinglists@belfin.ch wrote:
Hello
our reverse proxy picked this up
1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - 1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - 1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - 1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - 1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - 1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - 1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - 1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c . ./winnt/s
Is there some new IIS/Windows worm spreading?
Thanks, Philipp
participants (4)
-
Herman L. Knief -
mailinglists@belfin.ch -
Thomas Jones -
Wolfgang Kueter