I've just beeing going through my error logs, and recently I'm noticing a pattern of the same series of failed commands, about 4-5 times a day.
The pattern looks like this:
scripts/root.exe
msadc/root.exe
c/winnt/system32/cmd.exe
d/winnt/system32/cmd.exe
scripts/..%5c/winnt/system32/cmd.exe
/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
msadc/..%5c/..%5c/..%5c/..Á /..Á /..Á /winnt/system32/cmd.exe
scripts/..Á /winnt/system32/cmd.exe
scripts/..À¯/winnt/system32/cmd.exe
scripts/..Á?/winnt/system32/cmd.exe
scripts/..%5c/winnt/system32/cmd.exe
scripts/..%2f/winnt/system32/cmd.exe
Has anyone else noticed this before, as in, is it a common script used in an attempt to gain control? Or perhaps its a common virus/backdoor program that's being run on startup of the infected system? Or do I just have some little fool running a little script over and over and over hoping that just once my system will change and they'll actually succeed?
Generally, summary is none of these "attacks" has been successful, as even if the commands worked they're looking in the wrong location. I've already snagged the IP, and talked with the ResNet people (as its coming from a location on the university campus) so they already have it narrowed down to what building/room/jack was used.
I'm just looking for more info for the future, any comments appreciated.
The pattern looks like this:
scripts/root.exe
msadc/root.exe
c/winnt/system32/cmd.exe
d/winnt/system32/cmd.exe
scripts/..%5c/winnt/system32/cmd.exe
/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
msadc/..%5c/..%5c/..%5c/..Á /..Á /..Á /winnt/system32/cmd.exe
scripts/..Á /winnt/system32/cmd.exe
scripts/..À¯/winnt/system32/cmd.exe
scripts/..Á?/winnt/system32/cmd.exe
scripts/..%5c/winnt/system32/cmd.exe
scripts/..%2f/winnt/system32/cmd.exe
Has anyone else noticed this before, as in, is it a common script used in an attempt to gain control? Or perhaps its a common virus/backdoor program that's being run on startup of the infected system? Or do I just have some little fool running a little script over and over and over hoping that just once my system will change and they'll actually succeed?
Generally, summary is none of these "attacks" has been successful, as even if the commands worked they're looking in the wrong location. I've already snagged the IP, and talked with the ResNet people (as its coming from a location on the university campus) so they already have it narrowed down to what building/room/jack was used.
I'm just looking for more info for the future, any comments appreciated.
Facebook
Twitter