[svlug] Is this a hack attempt?

Doug Dooley dougdooley at attbi.com
Fri Oct 25 15:56:37 PDT 2002
Previous message: [svlug] Is this a hack attempt?
Next message: [svlug] Is this a hack attempt?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It's a standard NIMDA (code red) requests.  It's likely not malicious
but rather careless users who haven't run Windows patches on their IIS
machines.

I run a cron job that parses my Apache logs and sends weekly emails to
ATT Broadband Security - here's an example email that I send.  I
recommend doing the same to your service provider. Let me know if you
want a copy of my script - it's written PERL (really basic)

Example weekly email:

Sent: Monday, October 21, 2002 7:01 AM
To: abuse at attbi.com
Subject: Nimda Violations: Mon Oct 21 07:00:00 PDT 2002

Bcc: dougdooley at attbi.com

ATTBI Security Team -

My name is Doug Dooley and I'm an ATTBI customer.
My phone & address: 650-340-1526 & San Mateo, CA 94401
My IP address and login: 12.236.44.60 & dougdooley4

This email has been sent to notify you of clients infected by Code
Red/NIMDA that have made requests to my machine recently. If this report
is of little value, please contact me and I will cease to send this
report.  My goal is to provide you with useful information in your
efforts to eliminate the number of Virus infected machines on the ATT
Broadband Internet network.

Below is a list of infected machines, the dates of their first and last
recorded NIMDA style request, and the number of NIMDA style requests
received:
HOST: 12-218-74-47.client.mchsi.com
  DATES: [11/Oct/2002:20:58:27] - [11/Oct/2002:20:58:58]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-219-213-85.client.mchsi.com
  DATES: [13/Oct/2002:18:12:24] - [13/Oct/2002:18:12:43]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-228-11-35.client.attbi.com
  DATES: [16/Oct/2002:14:01:52] - [16/Oct/2002:14:01:53]
  NUM OF NIMDA REQUESTS: 2
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-228-183-212.client.attbi.com
  DATES: [16/Oct/2002:00:19:30] - [16/Oct/2002:00:19:34]
  NUM OF NIMDA REQUESTS: 2
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-231-4-189.client.attbi.com
  DATES: [12/Oct/2002:01:18:57] - [16/Oct/2002:12:47:17]
  NUM OF NIMDA REQUESTS: 32
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-235-179-145.client.attbi.com
  DATES: [14/Oct/2002:15:58:54] - [14/Oct/2002:16:00:30]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-235-65-112.client.attbi.com
  DATES: [14/Oct/2002:04:17:50] - [15/Oct/2002:02:40:57]
  NUM OF NIMDA REQUESTS: 32
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-101-173.client.attbi.com
  DATES: [11/Oct/2002:16:44:59] - [14/Oct/2002:07:42:30]
  NUM OF NIMDA REQUESTS: 247
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-192-17.client.attbi.com
  DATES: [20/Oct/2002:15:21:20] - [20/Oct/2002:17:20:34]
  NUM OF NIMDA REQUESTS: 48
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-192-34.client.attbi.com
  DATES: [11/Oct/2002:17:28:33] - [15/Oct/2002:13:23:49]
  NUM OF NIMDA REQUESTS: 113
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-29-75.client.attbi.com
  DATES: [13/Oct/2002:01:32:19] - [21/Oct/2002:04:00:13]
  NUM OF NIMDA REQUESTS: 728
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-50-15.client.attbi.com
  DATES: [15/Oct/2002:15:48:10] - [15/Oct/2002:16:38:35]
  NUM OF NIMDA REQUESTS: 52
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-236-70-101.client.attbi.com
  DATES: [13/Oct/2002:01:23:29] - [18/Oct/2002:22:37:58]
  NUM OF NIMDA REQUESTS: 198
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-245-79-29.client.attbi.com
  DATES: [15/Oct/2002:13:54:09] - [15/Oct/2002:13:54:56]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-246-207-26.client.attbi.com
  DATES: [20/Oct/2002:10:57:53] - [20/Oct/2002:10:58:00]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-249-178-72.client.attbi.com
  DATES: [17/Oct/2002:07:52:32] - [17/Oct/2002:07:52:40]
  NUM OF NIMDA REQUESTS: 16
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 12-251-236-184.client.attbi.com
  DATES: [15/Oct/2002:07:16:40] - [15/Oct/2002:07:17:00]
  NUM OF NIMDA REQUESTS: 12
  EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0

HOST: 65.240.128.146
  DATES: [18/Oct/2002:00:48:40] - [18/Oct/2002:00:48:40]
  NUM OF NIMDA REQUESTS: 1
  EXAMPLE REQUEST: GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

HOST: aputeaux-104-1-3-95.abo.wanadoo.fr
  DATES: [20/Oct/2002:20:24:15] - [20/Oct/2002:20:24:15]
  NUM OF NIMDA REQUESTS: 1
  EXAMPLE REQUEST: GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

---------------------------------------------------
TOTAL NUMBER OF NIMDA STYLE REQUESTS: 1564
TOTAL NUMBER OF INFECTED CLIENTS: 19
TOTAL NUMBER OF INFECTED ATTBI CLIENTS: 15
---------------------------------------------------

Again, I hope this information was useful.

Sincerely,
Doug Dooley
dougdooley at attbi.com
-----Original Message-----
From: svlug-bounces+dougdooley=attbi.com at svlug.org
[mailto:svlug-bounces+dougdooley=attbi.com at svlug.org] On Behalf Of
Daevid Vincent
Sent: Friday, October 25, 2002 3:45 PM
To: SVLUG
Subject: [svlug] Is this a hack attempt?

I run RH8.0 so this sure seems suspicious to me:

1-0 25065 0/508/508 _  6.42 128 0 0.0 130.31 130.31  12.237.249.145
daevid.com GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

4-0 25068 0/519/519 _  5.86 139 0 0.0 143.76 143.76  12.237.249.145
daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
5-0 25069 0/518/518 _  5.84 142 0 0.0 99.62 99.62  12.237.249.145
daevid.com GET /scripts/root.exe?/c+dir HTTP/1.0 
6-0 25070 0/531/531 _  6.44 114 0 0.0 129.48 129.48  12.237.249.145
daevid.com GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../.. 
7-0 25071 0/525/525 _  6.93 117 0 0.0 139.17 139.17  12.237.249.145
daevid.com GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
8-0 25214 0/503/503 _  5.83 136 0 0.0 118.91 118.91  12.237.249.145
daevid.com GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
9-0 25774 0/271/271 _  4.87 133 0 0.0 119.94 119.94  12.237.249.145
daevid.com GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
10-0 26526 0/457/457 _  5.36 335 0 0.0 100.78 100.78  12.229.31.145
daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
14-0 26531 0/334/334 _  3.51 119 0 0.0 89.96 89.96  12.237.249.145
daevid.com GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 

And so now is there a way I can make a file of IP/domains that are
banned from contacting my server (all ports)?


_______________________________________________
svlug mailing list
svlug at lists.svlug.org
http://lists.svlug.org/lists/listinfo/svlug
Previous message: [svlug] Is this a hack attempt?
Next message: [svlug] Is this a hack attempt?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the svlug mailing list