Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Someone looking for CodeRed infected boxes ?
From: Cliff Albert <cliff () oisec net>
Date: Thu, 27 Jun 2002 08:20:44 +0200
On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote:


2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET
/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1
65.94.25.135 - - -
2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET
/scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1
65.94.25.135 - - -

Sent packet show :

GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1
Host: 65.94.25.135
Connection: keep-alive
Accept: */*
X-Forwarded-For: 212.179.220.111
Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3)

The proxy is relaying itself ? not much sense
The worm generated header on-the-fly ?


The NetCache proxyserver is a Hardware-base proxyserver from NetApp
which usually runs in transparent mode. Thus also proxying nimda/codered
runs.

-- 
Cliff Albert            | RIPE:      CA3348-RIPE | http://oisec.net/
cliff () oisec net              | 6BONE:     CA2-6BONE   |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]