[prev in list] [next in list] [prev in thread] [next in thread] 

List:       avalon-dev
Subject:    Re: don't bother google ;) funny...
From:       Jakob Praher <praher.keg () liwest ! at>
Date:       2002-02-28 19:25:55
[Download RAW message or body]

looks to me more like a code-red style (also nimda) virus attack - which
is sent out by an infected iis to its colleagues ;-).

it tries to execute commands via the cmd.exe, via root.exe and admin.dll
,I think - And tries to download replacements for root.exe and admin.dll
which themeselves are infected.

just my 2cent.

--Jakob
"simple things should be simple, complex things possible" --Alan Kay


Am Don, 2002-02-28 um 16.57 schrieb Berin Loritsch:
> Emperor wrote:
> > Hmm.... Here is the log
> 
> Sorry to dissapoint you, that is a standard bot that scours anything
> that can be resolved.  My guess is for vulnerable systems.  It is quite
> interesting as those types of requests will only work on IIS/NT based
> systems.
> 
> I received a number of requests like that when I was helping a company
> migrate their webapp from three machines to one.  (Can I give you a
> hint: never put full address resolution if you expect to move an app
> later).
> 
> > 
> > I tested my async this afternoon by connecting to www.google.de and
> > sending a standart request (on both port 80 and 5485 - to test correct
> > and incorrect requests). Due to typos my first request strings weren't
> > correct. I had a serversocket running on port 80, too. After a while...
> > I began to get suspicious request on my serversocket ;) like those one:
> > 
> > connection to 217.81.232.195:2302 received "GET /MSADC/root.exe?/c+dir
> > HTTP/1.0 connection to 217.81.232.195:2441 received "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 connection to
> > 217.81.232.195:2568 received "GET /d/winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0 connection to 217.81.232.195:2954 received "GET
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0
> > 
> > Pretty funny... as my server didn't answer to requests ;) I think there
> > was someone @ google trying to find out who I am ;) I tried a reverse
> > hostname lookup but didn't give interesting results ;)
> > 
> > Look at the log ;) pretty cool.
> > 
> > Nils
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > --
> > To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>
> > 
> 
> 
> 
> -- 
> 
> "They that give up essential liberty to obtain a little temporary safety
>   deserve neither liberty nor safety."
>                  - Benjamin Franklin
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>
> 
> 




--
To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>

[prev in list] [next in list] [prev in thread] [next in thread]