Re: [logs] nimda web server logs

From: quentyn@fotango.com
Date: 06/13/02 

Date: Thu, 13 Jun 2002 17:15:10 +0100
From: quentyn@fotango.com
To: "Jay D. Dyson" <jdyson@treachery.net>

"Jay D. Dyson" wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 11 Jun 2002, Sweth Chandramouli wrote:
>
> > > Here's what I'm seeing -- anyone have any information on this variant?
> > > /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b
> > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam
> > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam
> > >
>

how many hits per IP ? I have something similar but from only 1 IP with
2k + alerts (across all our sites) - I have just dome some checking and
it appears to be very consistent with 709 connections per site ( using
apache logs rather then snort logs for the connection attempts).

same IP was also looking for a file called "galaxy_25684.26030" but I
don't see requests for *.cif at all. The number in the file name appears
to increment as well ( both numbers).

I have also seen requests for (from the same IP)

 /adsamples/check.bat/..À¯..À¯..À¯winnt/system32/cmd.exe

curious,

looking in the denied packet logs I also see loads of denied connection
attempts from this IP at the same time to port 80 on our whole range (ie
scanning for web servers) as well as 2 netbios requests 7hrs later....

Q 

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
and you're going to burn in hell. The other is that sex is the most
awful, filthy thing on earth. And you should save it for someone you
love.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Connecting Out of Process Servers via COM+
    ... connection, and in fact we can only use one connection because of the way ... years ago when I needed a number of clients to share a single serial ... it would create a Dispatcher-Object first and registers ... > This means, altough COM+ would allow parallel requests, the calls would be ...
    (microsoft.public.vb.com)
  • Re: output.c error in multithreaded program
    ... >>I find an access violation windows message and start the JIT debugger to ... > thread will block until the Sleep() expires, ... >>it a good enough approach to handle repeated requests. ... connection. ...
    (microsoft.public.vc.mfc)
  • Slow DNS requests?
    ... I think that the delay is in resolving the DNS requests. ... Guest machines connected via CAT5 to the BEFSR41 run fine. ... As soon as the host name is resolved, performance seems to improve dramatically for that connection. ... It offers one set of entries for "Name Servers" and a different set for "Domain Search". ...
    (comp.os.linux.networking)
  • Re: http pipelining
    ... Oops, sorry, you meant sending requests in parallel, right? ... down a single TCP connection, without waiting for the first response. ... Certainly urllib and urllib2 don't support pipelining. ...
    (comp.lang.python)
  • Re: Slow DNS requests?
    ... I think that the delay is in resolving the DNS requests. ... Guest machines connected via CAT5 to the BEFSR41 run fine. ... As soon as the host name is resolved, performance seems to improve dramatically for that connection. ... your DHCP server will tell your machine what name servers to use. ...
    (comp.os.linux.networking)