Full Disclosure mailing list archives
Re: Need help to find web server attacks signature
From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Wed, 22 Oct 2003 15:09:04 -0400
More weird stuff beginning, we see some HTTP GETs which contains these information : Accept: */* Host: website.domain.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) -------: ----:---------------------- ----------: ----- We got this via tcpdump There is no other HTTP information. 2 headers are "hidden" and replaced with "-" char. It looks like a bot (GET many times on many pages) and the source is in this block : 81.62.0.0 - 81.62.255.255 BLUEWINNET which is not the same as the one used for our attack yesterday. Any thoughts on these "hidden" HTTP headers ? Thanks again --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime () pandore-design com Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ----- Original Message ----- From: "Maxime Ducharme" <maxime () pandore-design com> To: <full-disclosure () lists netsys com> Sent: Wednesday, October 22, 2003 1:40 PM Subject: Need help to find web server attacks signature
Hi all, i'd need help to identify an attack that happened on one of our customer's web server yesterday, I put the log file here : http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt I see some attacks that seem to be a security scanner tool, and some attacks which targets specific pages of the web site (where we begin to see 200 responses from the web server). Someone recognize a tool / virus / worm in this ? Thanks in advance for help --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Need help to find web server attacks signature Discini, Sonny (Oct 22)
- <Possible follow-ups>
- Re: Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- RE: Need help to find web server attacks signature Schmehl, Paul L (Oct 22)
- Re: Need help to find web server attacks signature Maxime Ducharme (Oct 22)