Security Incidents mailing list archives

Question

From: "Hill, James" <jhill () sanitorsinc com>
Date: Tue, 4 Sep 2001 10:10:00 -0500
I have been getting this on the two web servers I run internally (Apache
Using Jakarta).  After a long weekend I came in and started reading my logs,
and noticed this on both the web servers almost identical information on
them.  My question is this a tool (script) doing this and is it something
that is doing mass scans?

JH

--->LOG
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /C:/temp/\../ + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /usr/bin/FlagShip_c + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /cgi-bin/bb-rep.sh + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  +
/Sites/Knowledge/Membership/Inspiredtut
orial/ViewCode.asp + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /WCB/databases/instructors.passwd +
nul
l) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /perl/files.pl + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /usr/bin/FSserial + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  +
/Sites/Knowledge/Membership/Inspired/Vi
ewCode.asp + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /_vti_pvt/users.pwd + null) null
2001-09-03 11:11:07 - Ctx(  ): 404 R(  + SnapStream + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /usr/bin/FSserial + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..?»../..?»../cmd1.exe + null)
null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
/Sites/Knowledge/Membership/Inspired/Vi
ewCode.asp + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..\..\..\..\..\autoexec.bat +
null) nu
ll
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/replicator/webpage.cgi/ +
null
) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /scripts/tradecli.dll + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cart.pl + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cartmanager.cgi + null)
null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
/cfdocs/exampleapp/publish/admin/addcon
tent.cfm + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/websync.exe + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/ezshopper3/loadpage.cgi +
null
) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cvsweb.cgi + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /interscan/cgi-bin/HttpSaveCSP.dll
+ nu
ll) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
/cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
stem32/cmd.exe + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cvsweb.cgi + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/bb-rep.sh + null) null
2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..?»../..?»../cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /interscan/cgi-bin/HttpSaveCSP.dll
+ nu
ll) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /4DBin/_/C:/winnt/repair/sam._ +
null)
null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
/cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
stem32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\..\..\autoexec.bat +
null) nu
ll
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-hostsvc.sh + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..?»../..?»../cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
/iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
system32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\boot.ini + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-hostsvc.sh + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /iisadmpwd/sensepost.exe + null)
null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/webspirs.cgi + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp2.cgi +
null) nu
ll
2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
/iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
system32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\boot.ini + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-histlog.sh + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/webspirs.cgi + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp4.cgi +
null) nu
ll
2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
/_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
ystem32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /../../../boot.ini + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-histlog.sh + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /scripts/passwd.txt .pl + null)
null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/lister + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /doc/packages/ + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp4.cgi +
null) nu
ll
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /iisadmpwd/sensepost.exe + null)
null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-hist.sh + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp3.cgi +
null) nu
ll
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /iisadmpwd/cmd1.exe + null) null
2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-hist.sh + null) null
2001-09-03 11:11:11 - Ctx(  ): 404 R(  +
/_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
ystem32/cmd.exe + null) null
2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /../../../boot.ini + null) null
2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp3.cgi +
null) nu
ll
2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /iisadmpwd/cmd1.exe + null) null
2001-09-03 11:11:11 - Ctx(  ): 404 R(  +
/msadc/..%5c..%5c/..%5c..%5c/winnt/syst
em32/cmd.exe + null) null
2001-09-03 11:11:12 - ContextManager: SocketException reading request,
ignored -
 java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
        at java.net.SocketInputStream.socketRead(Native Method)
        at java.net.SocketInputStream.read(SocketInputStream.java:86)
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
        at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
        at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
        at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
        at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
        at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
        at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
        at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
        at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
        at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
        at java.lang.Thread.run(Thread.java:484)

2001-09-03 11:11:13 - Ctx(  ): 404 R(  + SnapStream + null) null
2001-09-03 11:11:13 - Ctx(  ): 404 R(  + SnapStream + null) null
2001-09-03 11:11:14 - Ctx(  ): 404 R(  + /includes/global.inc + null) null
2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /global.asa .htr + null) null
2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /pollit/Poll_It_v2.0.cgi + null)
null
2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /iissamples/issamples/fastq.idq +
null)
 null
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cfdocs/expeval/sendmail.cfm +
null) nu
ll
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/wais + null) null
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/DCShop + null) null
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + SnapStream + null) null
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/websync.exe + null) null
2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /officescan/cgi/jdkRqNotify.exe +
null)
 null
2001-09-03 11:11:17 - Ctx(  ): 404 R(  + SnapStream + null) null
2001-09-03 11:11:17 - Ctx(  ): 404 R(  +
/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
null) null
2001-09-03 11:11:17 - Ctx(  ): 404 R(  + /iissamples/issamples/fastq.idq +
null)
 null
2001-09-03 11:11:17 - Ctx(  ): 404 R(  +
/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
null) null
2001-09-03 11:11:17 - Ctx(  ): 404 R(  + /iissamples/issamples/query.idq +
null)
 null
2001-09-03 11:11:18 - Ctx(  ): 404 R(  + /iissamples/issamples/query.idq +
null)
 null
2001-09-03 11:11:19 - Ctx(  ): 404 R(  + /cgi-bin/wais + null) null
2001-09-03 11:11:19 - Ctx(  ): 404 R(  + /cgi-bin/DCShop + null) null
2001-09-03 11:11:20 - Ctx(  ): 404 R(  + /iisadmpwd/cmd.exe + null) null
2001-09-03 11:11:20 - Ctx(  ): 404 R(  + /iisadmpwd/cmd.exe + null) null
2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/sensepost.exe + null) null
2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/sensepost.exe + null) null
2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/cmd1.exe + null) null
2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/cmd1.exe + null) null
2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /cgi-bin/simplestmail.cgi + null)
null
2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /samples/cmd.exe + null) null
2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /samples/cmd.exe + null) null
2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /cgi-bin/sensepost.exe + null) null
2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/sensepost.exe + null) null
2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd1.exe + null) null
2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd1.exe + null) null
2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd.exe + null) null
2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /cgi-bin/cmd.exe + null) null
2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /vti_cnf/sensepost.exe + null) null
2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /vti_cnf/sensepost.exe + null) null
2001-09-03 11:11:25 - Ctx(  ): 404 R(  + /vti_cnf/cmd1.exe + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /iisadmpwd/ + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /cgi-bin/ustorekeeper.pl + null)
null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
/msadc/..%5c..%5c/..%5c..%5c/winnt/syst
em32/cmd.exe + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /.nsf/../winnt/win.ini + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
/iissamples/exair/howitworks/codebrws.a
sp + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/glib/ + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /cgi-bin/ustorekeeper.pl + null)
null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
/scripts/..%5c..%5cwinnt/system32/cmd.e
xe + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/glib/ + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
/scripts/..%5c..%5cwinnt/system32/cmd.e
xe + null) null
2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/var_rm + null) null
2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/var_rm + null) null
2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /vti_cnf/cmd1.exe + null) null
2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/igesin + null) null
2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /vti_cnf/cmd.exe + null) null
2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/igesin + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_cnf/cmd.exe + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /usr/bin/xvcad/dxfin + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/sensepost.exe + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /usr/bin/xvcad/dxfin + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/sensepost.exe + null) null
2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/cmd1.exe + null) null
2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd1.exe + null) null
2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd.exe + null) null
2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd.exe + null) null
2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/sensepost.exe + null) null
2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/sensepost.exe + null) null
2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/cmd1.exe + null) null
2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd1.exe + null) null
2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd.exe + null) null
2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd.exe + null) null
2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /scripts/sensepost.exe + null) null
2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/sensepost.exe + null) null
2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/cmd1.exe + null) null
2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/cmd1.exe + null) null
2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /scripts/cmd.exe + null) null
2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /scripts/cmd.exe + null) null
2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /sensepost.exe + null) null
2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /sensepost.exe + null) null
2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd1.exe + null) null
2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd1.exe + null) null
2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd.exe + null) null
2001-09-03 11:11:45 - Ctx(  ): 404 R(  + /cmd.exe + null) null

End <--

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:

Question Hill, James (Sep 04)
- Re: Question jnf (Sep 04)
- <Possible follow-ups>
- RE: Question McCammon, Keith (Sep 04)