Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

HTTP attacks over weekend

From: phred () PACIFICWEST COM (phred () PACIFICWEST COM)
Date: Mon, 24 Apr 2000 19:35:16 -0400

My site under went a number of generic HTTP attacks this weekend that were recorded by RealSecure.  Attacks were 
initiated from 4 different IPs.  They used a hogpog of attacks reflecting no specific knowledge of my site.  ISS.net 
will have full description of attack signature.

  From:      212.176.36.12

FromPort       Date                            To    To Port EventName                                 Information

 2281   4/23/00 8:30:18AM     206.81.    80     HTTP_IE_BAT                             URL   /....../autoexec.bat
 2283   4/23/00 8:30:19AM     206.81.    80     HTTP_IIS$DATA                   URL   /default.asp::$DATA
 2284   4/23/00 8:30:19AM     206.81.    80     HTTP_IE_BAT                     URL   /ows-bin/*.bat
 2285   4/23/00 8:30:19AM     206.81.    80     HTTP_Netscape_SpaceView         URL   /cgi-bin/edit.pl
 2286   4/23/00 8:30:20AM     206.81.    80     HTTP_Netscape_SpaceView         URL  /.html/............./config.sys
 2288   4/23/00 8:30:21AM     206.81.    80     HTTP_Netscape_SpaceView         URL   /doc
 2289   4/23/00 8:30:21AM     206.81.    80     HTTP_Novell_Files                       URL   /perl/files.pl
 2291   4/23/00 8:30:22AM     206.81.    80     HTTP_Netscape_PageServices      URL   /?PageServices
 2297   4/23/00 8:30:26AM     206.81.    80     HTTP_Unix_Passwords                     URL   /etc/passwd
 2300   4/23/00 8:30:28AM     206.81.    80     HTTP_Netscape_SpaceView         URL   /cgi-bin/rwwwshell.pl
 2303   4/23/00 8:30:29AM     206.81.    80     HTTP_WebFinger                  URL   /cgi-bin/finger
 2307   4/23/00 8:30:32AM     206.81.    80     HTTP_WebFinger                  URL   /cgi-bin/finger?@localhost
 2322   4/23/00 8:30:44AM     206.81.    80     HTTP_IE_BAT                     URL   /cgi-bin/test.bat
 2327   4/23/00 8:31:32AM     206.81.    80     HTTP_TestCgi                    URL   /cgi-bin/test-cgi
 2340   4/23/00 8:31:39AM     206.81.    80     HTTP_Netscape_SpaceView         URL   /_vti_pvt/authors.pwd

          Unable to find any TLD information for this domain.
          Please check the domain and verify that it is part
          of a valid top level domain. "217.176.36.12 -arin"

  From:      212.109.41.100

FromPort       Date              To      To Port     EventName                                 Information

 3285   4/22/00 7:13:12AM     206.81.       80    HTTP_PHF                      URL   //cgi-bin/phf.cgi
 3311   4/22/00 7:14:25AM     206.81.       80    HTTP_IE_BAT           URL   //....../autoexec.bat
 3343           4/22/00 7:15:26AM     206.81.       80    HTTP_WebSite_Uploader         URL   //cgi-win/uploader.exe
 3345   4/22/00 7:15:29AM     206.81.       80    HTTP_IE_BAT           URL   //cgi-dos/args.bat
 3359   4/22/00 7:15:42AM     206.81.       80          HTTP_Netscape_PageServices        URL   //?PageServices

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     212.109.41.0 - 212.109.41.127
netname:     SA-KHARKOV-SOVAMNET
descr:       26, Konstitutsiyi sq., suite 23
descr:       Kharkov
country:     UA
admin-c:     OG965-RIPE
tech-c:      OG965-RIPE
status:      ASSIGNED PA
notify:      oleg () sa net ua
mnt-by:      SOVAMUA-MNT
changed:     doka () kiev sovam com 19991105
source:      RIPE

From:                                           63.17.219.174                                                           
                                                                                

FromPort       Date                            To              To Port EventName                                       
Information                                                     

3527            4/22/00 12:20:43PM      206.81. 80      HTTP_Novell_Files                       URL/perl/files.pl       
                
3635            4/22/00 12:21:00PM      206.81. 80      HTTP_Netscape_SpaceView URL/ss.cfg                      
3654            4/22/00 12:21:02PM      206.81. 80      HTTP_IE_BAT                             URL/cgi-dos/args.bat    
                

UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU)
   3060 Williams Drive, Suite 601
   Fairfax, va 22031
   US

   Netname: NETBLK-UUNET97DU
   Netblock: 63.0.0.0 - 63.41.255.255
   Maintainer: UUDA

   Coordinator:
      UUnet, AlterNet - Technical Support  (OA12-ARIN)  help () UUNET UU NET
      () -

  From:      193.232.88.16

FromPort       Date                            To      To Port     EventName           Information

 2361   4/23/00 8:30:12AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 21970  4/23/00 8:34:38AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 36764  4/23/00 8:38:08AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 51953  4/23/00 8:41:38AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 9836   4/23/00 8:46:55AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 40840  4/23/00 8:53:56AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 5398   4/23/00 9:00:57AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 2366   4/23/00 9:11:40AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 45994  4/23/00 9:22:11AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 24707  4/23/00 9:32:41AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 1947   4/23/00 9:43:13AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe
 45022  4/23/00 9:53:39AM     206.81.       80     HTTP_WebSite_Uploader         URL   /cgi-win/uploader.exe

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     193.232.88.0 - 193.232.91.255
netname:     ROSPRINT-NET
descr:       RoSprint Company
descr:       Data Communications
descr:       Moscow, Russia
country:     RU
admin-c:     AP9-RIPE
tech-c:      AP9-RIPE
mnt-by:      ROSPRINT-NCC
changed:     pooh () ipnms rosprint net 19960202
source:      RIPE

route:       193.232.88.0/22
descr:       ROSPRINT-NET
origin:      AS2854
mnt-by:      ROSPRINT-NCC
changed:     andrew () ipnms rosprint net 19950908
source:      RIPE

person:      Andrey Petukhov
address:     Global One Russia (RoSprint)
address:     7 Tverskaya ul, Ent. #7,
address:     Moscow, 103375
address:     Russia
phone:       +7 095 705 9229
fax-no:      +7 095 929 9363
e-mail:      pooh () ipnms rosprint net
nic-hdl:     AP9-RIPE
mnt-by:      ROSPRINT-NCC
changed:     pooh () ipnms rosprint net 19970121
changed:     dru () ipnms rosprint net 19981104
source:      RIPE

----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com
Previous By Date Next
Previous By Thread Next

Current thread: