looks to me more like a code-red style (also nimda) virus attack - which is sent out by an infected iis to its colleagues ;-).
it tries to execute commands via the cmd.exe, via root.exe and admin.dll ,I think - And tries to download replacements for root.exe and admin.dll which themeselves are infected. just my 2cent. --Jakob "simple things should be simple, complex things possible" --Alan Kay Am Don, 2002-02-28 um 16.57 schrieb Berin Loritsch: > Emperor wrote: > > Hmm.... Here is the log > > Sorry to dissapoint you, that is a standard bot that scours anything > that can be resolved. My guess is for vulnerable systems. It is quite > interesting as those types of requests will only work on IIS/NT based > systems. > > I received a number of requests like that when I was helping a company > migrate their webapp from three machines to one. (Can I give you a > hint: never put full address resolution if you expect to move an app > later). > > > > > I tested my async this afternoon by connecting to www.google.de and > > sending a standart request (on both port 80 and 5485 - to test correct > > and incorrect requests). Due to typos my first request strings weren't > > correct. I had a serversocket running on port 80, too. After a while... > > I began to get suspicious request on my serversocket ;) like those one: > > > > connection to 217.81.232.195:2302 received "GET /MSADC/root.exe?/c+dir > > HTTP/1.0 connection to 217.81.232.195:2441 received "GET > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 connection to > > 217.81.232.195:2568 received "GET /d/winnt/system32/cmd.exe?/c+dir > > HTTP/1.0 connection to 217.81.232.195:2954 received "GET > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0 > > > > Pretty funny... as my server didn't answer to requests ;) I think there > > was someone @ google trying to find out who I am ;) I tried a reverse > > hostname lookup but didn't give interesting results ;) > > > > Look at the log ;) pretty cool. > > > > Nils > > > > > > ------------------------------------------------------------------------ > > > > -- > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > -- > > "They that give up essential liberty to obtain a little temporary safety > deserve neither liberty nor safety." > - Benjamin Franklin > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
