[svlug] Is this a hack attempt?

Daevid Vincent daevid at daevid.com
Fri Oct 25 16:02:34 PDT 2002


Yes Doug, I would love that script! I'm on ATT cable as well.

But had this been a more serious attack, in reference to my earlier
question, is there a way to ban a list of IP or domains from contacting
my computer? Sort of like a /etc/banhosts file or something that I just
enter them in and cut them off.

Thanks,

d

> -----Original Message-----
> From: Doug Dooley [mailto:dougdooley at attbi.com] 
> Sent: Friday, October 25, 2002 3:57 PM
> To: 'Daevid Vincent'; 'SVLUG'
> Subject: RE: [svlug] Is this a hack attempt?
> 
> 
> It's a standard NIMDA (code red) requests.  It's likely not 
> malicious but rather careless users who haven't run Windows 
> patches on their IIS machines.
> 
> I run a cron job that parses my Apache logs and sends weekly 
> emails to ATT Broadband Security - here's an example email 
> that I send.  I recommend doing the same to your service 
> provider. Let me know if you want a copy of my script - it's 
> written PERL (really basic)
> 
> Example weekly email:
> 
> Sent: Monday, October 21, 2002 7:01 AM
> To: abuse at attbi.com
> Subject: Nimda Violations: Mon Oct 21 07:00:00 PDT 2002
> 
> Bcc: dougdooley at attbi.com
> 
> ATTBI Security Team -
> 
> My name is Doug Dooley and I'm an ATTBI customer.
> My phone & address: 650-340-1526 & San Mateo, CA 94401
> My IP address and login: 12.236.44.60 & dougdooley4
> 
> This email has been sent to notify you of clients infected by 
> Code Red/NIMDA that have made requests to my machine 
> recently. If this report is of little value, please contact 
> me and I will cease to send this report.  My goal is to 
> provide you with useful information in your efforts to 
> eliminate the number of Virus infected machines on the ATT 
> Broadband Internet network.
> 
> Below is a list of infected machines, the dates of their 
> first and last recorded NIMDA style request, and the number 
> of NIMDA style requests
> received:
> HOST: 12-218-74-47.client.mchsi.com
>   DATES: [11/Oct/2002:20:58:27] - [11/Oct/2002:20:58:58]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-219-213-85.client.mchsi.com
>   DATES: [13/Oct/2002:18:12:24] - [13/Oct/2002:18:12:43]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-228-11-35.client.attbi.com
>   DATES: [16/Oct/2002:14:01:52] - [16/Oct/2002:14:01:53]
>   NUM OF NIMDA REQUESTS: 2
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-228-183-212.client.attbi.com
>   DATES: [16/Oct/2002:00:19:30] - [16/Oct/2002:00:19:34]
>   NUM OF NIMDA REQUESTS: 2
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-231-4-189.client.attbi.com
>   DATES: [12/Oct/2002:01:18:57] - [16/Oct/2002:12:47:17]
>   NUM OF NIMDA REQUESTS: 32
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-235-179-145.client.attbi.com
>   DATES: [14/Oct/2002:15:58:54] - [14/Oct/2002:16:00:30]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-235-65-112.client.attbi.com
>   DATES: [14/Oct/2002:04:17:50] - [15/Oct/2002:02:40:57]
>   NUM OF NIMDA REQUESTS: 32
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-101-173.client.attbi.com
>   DATES: [11/Oct/2002:16:44:59] - [14/Oct/2002:07:42:30]
>   NUM OF NIMDA REQUESTS: 247
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-192-17.client.attbi.com
>   DATES: [20/Oct/2002:15:21:20] - [20/Oct/2002:17:20:34]
>   NUM OF NIMDA REQUESTS: 48
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-192-34.client.attbi.com
>   DATES: [11/Oct/2002:17:28:33] - [15/Oct/2002:13:23:49]
>   NUM OF NIMDA REQUESTS: 113
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-29-75.client.attbi.com
>   DATES: [13/Oct/2002:01:32:19] - [21/Oct/2002:04:00:13]
>   NUM OF NIMDA REQUESTS: 728
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-50-15.client.attbi.com
>   DATES: [15/Oct/2002:15:48:10] - [15/Oct/2002:16:38:35]
>   NUM OF NIMDA REQUESTS: 52
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-236-70-101.client.attbi.com
>   DATES: [13/Oct/2002:01:23:29] - [18/Oct/2002:22:37:58]
>   NUM OF NIMDA REQUESTS: 198
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-245-79-29.client.attbi.com
>   DATES: [15/Oct/2002:13:54:09] - [15/Oct/2002:13:54:56]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-246-207-26.client.attbi.com
>   DATES: [20/Oct/2002:10:57:53] - [20/Oct/2002:10:58:00]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-249-178-72.client.attbi.com
>   DATES: [17/Oct/2002:07:52:32] - [17/Oct/2002:07:52:40]
>   NUM OF NIMDA REQUESTS: 16
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 12-251-236-184.client.attbi.com
>   DATES: [15/Oct/2002:07:16:40] - [15/Oct/2002:07:17:00]
>   NUM OF NIMDA REQUESTS: 12
>   EXAMPLE REQUEST: GET /scripts/root.exe?/c+dir HTTP/1.0
> 
> HOST: 65.240.128.146
>   DATES: [18/Oct/2002:00:48:40] - [18/Oct/2002:00:48:40]
>   NUM OF NIMDA REQUESTS: 1
>   EXAMPLE REQUEST: GET 
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
> 
> HOST: aputeaux-104-1-3-95.abo.wanadoo.fr
>   DATES: [20/Oct/2002:20:24:15] - [20/Oct/2002:20:24:15]
>   NUM OF NIMDA REQUESTS: 1
>   EXAMPLE REQUEST: GET 
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
> 
> ---------------------------------------------------
> TOTAL NUMBER OF NIMDA STYLE REQUESTS: 1564
> TOTAL NUMBER OF INFECTED CLIENTS: 19
> TOTAL NUMBER OF INFECTED ATTBI CLIENTS: 15
> ---------------------------------------------------
> 
> Again, I hope this information was useful.
> 
> Sincerely,
> Doug Dooley
> dougdooley at attbi.com
> -----Original Message-----
> From: svlug-bounces+dougdooley=attbi.com at svlug.org
> [mailto:svlug-bounces+dougdooley=attbi.com at svlug.org] On 
> Behalf Of Daevid Vincent
> Sent: Friday, October 25, 2002 3:45 PM
> To: SVLUG
> Subject: [svlug] Is this a hack attempt?
> 
> I run RH8.0 so this sure seems suspicious to me:
> 
> 1-0 25065 0/508/508 _  6.42 128 0 0.0 130.31 130.31  
> 12.237.249.145 daevid.com GET 
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> 
> 4-0 25068 0/519/519 _  5.86 139 0 0.0 143.76 143.76  
> 12.237.249.145 daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
> 5-0 25069 0/518/518 _  5.84 142 0 0.0 99.62 99.62  
> 12.237.249.145 daevid.com GET /scripts/root.exe?/c+dir HTTP/1.0 
> 6-0 25070 0/531/531 _  6.44 114 0 0.0 129.48 129.48  
> 12.237.249.145 daevid.com GET 
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../.. 
> 7-0 25071 0/525/525 _  6.93 117 0 0.0 139.17 139.17  
> 12.237.249.145 daevid.com GET 
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
> 8-0 25214 0/503/503 _  5.83 136 0 0.0 118.91 118.91  
> 12.237.249.145 daevid.com GET 
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
> 9-0 25774 0/271/271 _  4.87 133 0 0.0 119.94 119.94  
> 12.237.249.145 daevid.com GET 
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
> 10-0 26526 0/457/457 _  5.36 335 0 0.0 100.78 100.78  
> 12.229.31.145 daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
> 14-0 26531 0/334/334 _  3.51 119 0 0.0 89.96 89.96  
> 12.237.249.145 daevid.com GET 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
> 
> And so now is there a way I can make a file of IP/domains 
> that are banned from contacting my server (all ports)?
> 
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org http://lists.svlug.org/lists/listinfo/svlug
> 
> 




More information about the svlug mailing list