RE: Unicode worm?
From: Larsen, Colin (colin.larsen@nz.unisys.com)Date: 08/22/02
- Previous message: John Sage: "Re: Unicode worm?"
- Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
- Next in thread: Dean White: "Re: Unicode worm?"
- Reply: Dean White: "Re: Unicode worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Larsen, Colin" <colin.larsen@nz.unisys.com> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Thu, 22 Aug 2002 14:26:50 +1000
I get this every day. Usually in batches of 8 to 16 probes. Mostly from
China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
university!)I figure its a fact of life that anything attached to the big
wide world is gonna get shot at.
Colin.
-----Original Message-----
From: John Sage [mailto:jsage@finchhaven.com]
Sent: Thursday, 22 August 2002 4:01 p.m.
To: incidents@securityfocus.com
Subject: Re: Unicode worm?
Soeren, Keith:
On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:
> In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
> Turner, Keith (Contractor) <TurnerL@tea-emh1.army.mil> wrote:
>
> > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
> > not complete after one pass. Request will be rejected. Site
> > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
> > xe'
>
> I'm seeing the same requests.
I've recently seen several single-payload packet probes of the form:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x36AEB784 Ack: 0x71FD0774 Win: 0x2238 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
63 2B 64 69 72 0D 0A 69 72 0D 0A c+dir..ir..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
These have source IP's _not_ within my class B, or A; very quick,
typically six to nine packets for the total transaction, and they're gone.
- John
-- "You are in a little maze of twisty passages, all different."PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: John Sage: "Re: Unicode worm?"
- Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
- Next in thread: Dean White: "Re: Unicode worm?"
- Reply: Dean White: "Re: Unicode worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
