Run check your NT Servers!!! (possible new uprising of new/old NT web holes) [Archive]

View Full Version : Run check your NT Servers!!! (possible new uprising of new/old NT web holes)

slade

09-18-2001, 02:16 PM

Three different machines in IP ranges that start 64.x.x.x just hit one of my linux boxes asking for these files: (in approximately the same order)

public_html/scripts/..%2f../winnt/system32/cmd.exe
public_html/scripts/..%5c../winnt/system32/cmd.exe
public_html/scripts/..Á?../winnt/system32/cmd.exe
public_html/scripts/..À¯../winnt/system32/cmd.exe
public_html/scripts/..Á../winnt/system32/cmd.exe
public_html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
public_html/scripts/..%5c../winnt/system32/cmd.exe
public_html/d/winnt/system32/cmd.exe
public_html/c/winnt/system32/cmd.exe
public_html/MSADC/root.exe
public_html/scripts/root.exe

I'm glad I opted for Linux.

Note: These all were within the last 45 mins. Also, this is log format, so bottom request was first.

The Prohacker

09-18-2001, 05:09 PM

Try running :
cat /etc/httpd/logs/access_log | grep -c system32/cmd.exe

And see how many hits you have on it, mine was 38422.....

Of course alter your path to your apache logs...

slade

09-19-2001, 12:43 AM

This particular site has spit out a 40 meg log file for just the first 10 days of Sept...

I'd rather not try for a buffer overflow with cat :D

Domenico

09-19-2001, 08:35 AM

Mine was 37754 ;-)

What a total waste. maybe they can make the worm more intelligent to let him check for OS first...

hehehe

Precise

09-21-2001, 09:35 PM

110172

smartbackups

09-21-2001, 09:39 PM

Just on one of our servers in three days we have had over 160k. It seems to be tapering just a bit. I did do this in my httpd.conf file:

RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
RedirectMatch (.*)\default.ida$ http://127.0.0.1
RedirectMatch (.*)\root.exe$ http://127.0.0.1

I put this between the <Directory> </Directory container for the main site.

It redirects them back at themselves. :)

Precise

09-21-2001, 09:56 PM

I tried doing that but is says "RedirectMatch" unknown.

Can you give more info on how to do this?

Patrick

StephenRS

09-21-2001, 10:39 PM

I'm being hit by LOCAL machiines at Pajo (Acsdatanet) and Weinbar. Our pwebtech (Pegasus) server is not getting hit... I haven't had a chance to check our affordablecolo server yet.

Thousands of hits at 100Mbps LAN speed!

Alex@pajo

09-22-2001, 01:16 AM

Originally posted by StephenRS
I'm being hit by LOCAL machiines at Pajo (Acsdatanet) and Weinbar. Our pwebtech (Pegasus) server is not getting hit... I haven't had a chance to check our affordablecolo server yet.

Thousands of hits at 100Mbps LAN speed!

StephenRS,

Please send the list of IP's hitting you to NOC@PAJO.COM. WE have applied filters where we can, it is funny you have mentioned one of our COLO customers. COLO has a filter applied as of a few days ago to block the ability to infest outside hosts. However, pre-infested machines will still scan. Our TDM customers (due to limitations on layer 3 lookups and MPLS) will not allow these same filters to work (Unless we put the filter on EVERY Serial port, way to taxing). Thus please send the block(s) to the above address. We will get on it right away.

Alex Paoli
Director of Technology
Pajo, Inc.