Web Server Scans
Jonathan Hutchins
hutchins at opus1.com
Sat Jul 6 23:55:55 CDT 2002
I'm getting hit by wave after wave of requests on my web server for what are
obviously known compromises, mostly on IIS servers. I'll get about thirteen
requests from one IP, then the same thirteen files from another. These are
the files they're looking for:
/scripts/root.exe
/MSADC/root.exe
/c/winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/msadc/..%5c../..%5c../..%5c/..Á^../..Á^../..Á^../winnt/system32/cmd.exe
/scripts/..Á^../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/scripts/..Á<9C>../winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/..%2f../winnt/system32/cmd.exe
I wonder if this is a common kiddid script, or a distributed attack coming
from infected servers?
Anything one can do about it? Worst it's doing to me is cluttering up my
logs...
More information about the Kclug
mailing list