From: Jonathan Hutchins (hutchins@opus1.com)
Date: 07/06/02

Next message: Jonathan Hutchins: "RE: Block Size Program"
Previous message: Gerald Combs: "Re: Block Size Program"
Next in thread: david nicol: "Re: Web Server Scans"
Reply: david nicol: "Re: Web Server Scans"
Reply: chuckx: "Re: Web Server Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Message-ID: <90D75D20C42AD6118FB60060970F698C040C22@CAVERN>
From: Jonathan Hutchins <hutchins@opus1.com>
Subject: Web Server Scans
Date: Sat, 6 Jul 2002 18:55:55 -0500

I'm getting hit by wave after wave of requests on my web server for what are
obviously known compromises, mostly on IIS servers. I'll get about thirteen
requests from one IP, then the same thirteen files from another. These are
the files they're looking for:

/scripts/root.exe
/MSADC/root.exe
/c/winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe
/scripts/..Á^\../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/scripts/..Á<9C>../winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/..%2f../winnt/system32/cmd.exe

I wonder if this is a common kiddid script, or a distributed attack coming
from infected servers?

Anything one can do about it? Worst it's doing to me is cluttering up my
logs...

Next message: Jonathan Hutchins: "RE: Block Size Program"
Previous message: Gerald Combs: "Re: Block Size Program"
Next in thread: david nicol: "Re: Web Server Scans"
Reply: david nicol: "Re: Web Server Scans"
Reply: chuckx: "Re: Web Server Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]