Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Strange Web requests.

From: "Geoffrey King" <gking () evildomain dyndns org>
Date: Sat, 1 Dec 2001 00:17:04 -0000
I guess it was a portscan with some funky per port options

messages:Nov 30 16:18:36 evildomain snort: MISC-WinGate-8080-Attempt:
207.33.111.32:2464 -> 62.30.33.207:8080
messages:Nov 30 16:18:36 evildomain snort: spp_portscan: PORTSCAN DETECTED
from 207.33.111.32 (THRESHOLD 4 connections exceeded in 8 seconds)
messages:Nov 30 16:18:36 evildomain snort: MISC-WinGate-1080-Attempt:
207.33.111.32:2465 -> 62.30.33.207:1080
messages:Nov 30 16:18:36 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2463 -> 62.30.33.207:80
messages:Nov 30 16:18:36 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2463 -> 62.30.33.207:80
messages:Nov 30 16:18:37 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2467 -> 62.30.33.207:80
messages:Nov 30 16:18:37 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2467 -> 62.30.33.207:80
messages:Nov 30 16:18:37 evildomain snort: WEB-MISC-.htaccess:
207.33.111.32:2467 -> 62.30.33.207:80
messages:Nov 30 16:18:38 evildomain proftpd[24397]: connect from
207.33.111.32 (207.33.111.32)
messages:Nov 30 16:18:38 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2468 -> 62.30.33.207:80
messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2468 -> 62.30.33.207:80
messages:Nov 30 16:18:38 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2470 -> 62.30.33.207:80
messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2470 -> 62.30.33.207:80
messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth-
WS_FTP.INI access attempt : 207.33.111.32:2470 -> 62.30.33.207:80
messages:Nov 30 16:18:40 evildomain snort: spp_portscan: portscan status
from 207.33.111.32: 5 connections across 1 hosts: TCP(5), UDP(0)
messages:Nov 30 16:18:42 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2472 -> 62.30.33.207:80
messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2472 -> 62.30.33.207:80
messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth-
WS_FTP.INI access attempt : 207.33.111.32:2472 -> 62.30.33.207:800183
F=0x4000 T=53 SYN (#1802)
messages:Nov 30 16:18:42 evildomain proftpd[24397]:
evildomain.internallan.org (207.33.111.32[207.33.111.32]) - FTP session
opened.
messages:Nov 30 16:18:42 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2477 -> 62.30.33.207:80
messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2477 -> 62.30.33.207:80
messages:Nov 30 16:18:43 evildomain proftpd[24397]:
evildomain.internallan.org (207.33.111.32[207.33.111.32]) - FTP session
closed.
messages:Nov 30 16:18:44 evildomain snort: spp_portscan: portscan status
from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0)
messages:Nov 30 16:18:50 evildomain snort: spp_portscan: portscan status
from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0)
messages:Nov 30 16:18:52 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2478 -> 62.30.33.207:80
messages:Nov 30 16:18:52 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2478 -> 62.30.33.207:80
messages:Nov 30 16:18:53 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2500 -> 62.30.33.207:80
messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2500 -> 62.30.33.207:80
messages:Nov 30 16:18:53 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2504 -> 62.30.33.207:80
messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2504 -> 62.30.33.207:80
messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth- mlog
access attempt: 207.33.111.32:2504 -> 62.30.33.207:80
messages:Nov 30 16:18:54 evildomain snort: spp_portscan: portscan status
from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0)
messages:Nov 30 16:18:57 evildomain snort: spp_http_decode: CGI Null Byte
attack detected: 207.33.111.32:2505 -> 62.30.33.207:80
messages:Nov 30 16:18:57 evildomain snort: SCAN - Whisker Stealth Mode 4-
HEAD: 207.33.111.32:2505 -> 62.30.33.207:80
messages:Nov 30 16:18:57 evildomain snort: SCAN - Whisker Stealth- mylog
access attempt: 207.33.111.32:2505 -> 62.30.33.207:80
messages:Nov 30 16:18:59 evildomain snort: spp_portscan: portscan status
from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0)
messages:Nov 30 16:19:03 evildomain snort: spp_portscan: End of portscan
from 207.33.111.32: TOTAL time(29s) hosts(1) TCP(9) UDP(0)

-----Original Message-----
From: Michael Ward
Sent: Friday, November 30, 2001 4:35 PM
To: 'gking () evildomain dyndns org'
Subject: RE: Strange Web requests.


Almost looks like a reconaissance scan.  It seems to be using the HEAD
command instead of GET which usually indicates that the client is
scanning for open vulnerabilities... but, it seems like they're
incorporating some kind of buffer overflow into it.  Do you have any
other entries in any of your logs from this IP?

-Mike



-----Original Message-----
From: Geoffrey King [mailto:gking () evildomain dyndns org]
Sent: Friday, November 30, 2001 11:01 AM
To: incidents () securityfocus com
Subject: Strange Web requests.


I'm getting some weird web requests coming in on my Home cablemodem
setup.


[Fri Nov 30 16:18:52 2001] [error] [client 207.33.111.32] Invalid method
in
request HEAD%00
/%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20gtkcaqcekiihoj/../../index.html%3fnb
jkky
ckfxc=/../ieielkyazjrtlwamehemlerzayxgxvshosamhlrfjqkjvbqrxjplsmluohplap
ryys
tkumldtrqimmjmqogynifwwlnghjwkiirvfjkdvlvyuxjieadymlsumvriicklndjvrekdlr
bbma
sqkqfrsigboccwpmrozdodezsewfwuesvjobkbhfpbivuydpjsjdylaelsdlrvpdwwjfjrzc
hnbn
orjohiaxkosvwvlhsivmookdpoxzdylpcvwhktyjlgbvnxxxpucgtatvffnbxzevjyowjmhw
isjo
bivqumhqunmmwsusmzgwumatzyfqcgxcnpnnmtllsqpsfpyflwhifgtlltnhjbfixauobptb
snnh
hhvxlfxtpnejibvzpgbhcabumjhgyrxmksemempmekharvoeqcnokdfnykfebmvlfepynnxl
ttls
qcwpdhrmuvrxqxfdyfuplikvotraksbaxmdgriuthcnxvsclrgwitqpramguvjgkbzjwtklk
wflw
pfzbuamezliqnahffxzwqumvkhinpyorhgfnqwjqrbrptralicwqttbsyalzukwnirxlbebe
eayw
tvfxgbyampcxrkzqyvyvfbmcszbivnmpobahjrjrvhbvkotleeqavpfiprztpcatbjkqvglj
lqyn
nxeqfqbphupugppdfazicmmpdjnkriykseezfxgrqeyffdilrertefbstylsafhshymcmwop
loyb
uetdfqxzqpjfdvjfemqamllabtcbuwivxnhqfaxxmgkltczflexpuwczvpfwrcaeebivowkx
kqnl
zogwaispoofhkohrdepqmfyxbiibubgjercdmbwcpsteevfdgyjfjmgmimwiitljjxktildi
qzyi
cojlprcktfhdctppmmndsrzxytlgrgsjxesmxxopvegpufnlnpbzfzsiuutaqbcmjajubsyf
kwjj
khxxbmgdvaxfpnzzddmsievmpqwhpmlbzwrbzhebsazairqhzdmsuhgfznlhmaalgqujncob
pfkb
sruugcjpfkblvpmlkbknxpnjqajkwuxtsxpntbzyzuefdktlaunmflgknsujdxwuomlylgve
fdxp
kdjjofizqooueinjmjjkpzwwnnosifminfffwuakttyvkeallovlybecfjrnoerzybqdubqp
heia
ltcgwpqcsnqqkbbfssrceidgkkktkaxcuulqyzbqmuslglcjvyhacjtgnhgjiyjhitpsipea
gibm
pddtfunvygerjsmfcyirnxghfsiexikoeljymetumaqvrzompigdkpbsuyjpiqdytgczjswh
yqmp
sgwtbxndmjmphaykxwdlprvtonihekpyxrobcbmbyccgjdpitrnjxvysiozpkafmtsnpmerh
oifl
xrpprrqcozngamqgirwr/.././%57%57%57%54%48%52%45%41%44%53/./ HTTP/1.0
[Fri Nov 30 16:18:53 2001] [error] [client 207.33.111.32] Invalid method
in
request HEAD%00
/%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20fbdfhahodcqrxrdx/../../index.html%3f
yfbw
kypspvxcjaesb=/../zyzxzkvdcjvitalrnfnvmknpdgmvugvvcehhxstixtcgjpictmqwch
jtre
jgtjbgzqgabwknksanesgsgvbzchknxbkejcvktxunxkaghsktvgswhzpwgaprlhdbinbeku
rawe
zutzkimuyxlqykbdnqiduyuviguqhxvzbwnpdgykmhhthsufdkddxdzrhkoskosjnlmlbjjs
gvlh
yrvymbdmzxmwnqhmlqiiacqkcgvmuwkxpawkuedzcexfsgjwajdbuxwelmrolhumlqrmuihw
fdui
bcmyxtunsdaxrzehyccnbyuptgcohayudbxociefbmhathmigiilkfpgkxrktetvvztjvnqo
roqo
qnilawukypqitvlqknkizkdrgmjrxwulynjxbplaevlnhpxxeqbgysqcezvkxuvefrxhjqnf
ocvy
xycwfpnfwfeeknbyylisvugkwfiwjrypqdrcscnwexunftvounkqwnpkqlowofdgytnocugu
lxdo
vhwzsurtcuicmjzgmismskycbxflvrlmedzpwapnytucewbdtjxwbsuhxteajwzrtkttzphf
jolz
taryvpowbgrohxsultfvrmgweoyswlspnpngddpckkbfhtiowdglhpvdvjezyrpdjzxsuflf
zqmx
pkgffzttwdqbtfautwhniplihtsurqvkbmrcszmvcqvurnqimroemitrbkcjhmabbnkgribs
uhzv
pbmciczogfmhglypzfwnhmdxijoudqqocrfopthszjqjwjimczqddugshntcwoajdongajoz
ywtb
lzvwoakxhlmdgqibblgfdegaknsvywodsuiqjepugdoozauvtvcpfhnsvsxkoxswnvmyojpr
tybu
vhusrtmrwxvngwhkmtpejlwhydtwqrtpubgkoztfrrfftnkeyqvqxgxxhjfqkyebhfopmpmg
eizz
umqyjdqrzfomqocafmnjazmqdnrfrqzjrockcnliybfkhurqezktrzueyrzebsyabfrumumj
nvai
cfyrqrekytmwdxvjqgjgmjntdfmplskqoyuarngjunpdfwehbmigaavtnfndxponhlbwngmw
ubab
budlirwyuirsgxycgmwmezvwdwbgvdcjblvnxaubupfiwvzoanvequqpxmehkiasdkrvstvw
zdbm
voyilcidosccqzvvljtijdzdednwmbkfgbrmbhauzkkygnpcfccapsdkdjvkzqigvwfhazsl
xyed
oxnjizzdpywlpoudrjbsxhnykirrlagnivhdirexhpjclsuxxfunliydfpmirxhmdfvcfizb
rgmi
owxagwopwokxiyhjqnkkgjoepazlugufcwznmxiugszvvtsnijryqonuysksckagodfuypgf
hhxk
smaykgvcurxyfkiznoulquvhgwfyijrczxfnswzytvqdiepzwoeekxewzvxxyeard/.././%
50%4
8%50/./ HTTP/1.0
[Fri Nov 30 16:18:53 2001] [error] [client 207.33.111.32] Invalid method
in
request HEAD%00
/%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20hbjeqftxsuodwd/../../index.html%3fqo
atfp
kbwzljzpsr=/../tccpzrngfnaopxuhkjqgecegxltihxrvqqgivxjfanillatnmkwzssrui
mupl
jbfjmfglgguflyquftjtlvrgrvpeezwcrsvyrnwusiejvvzxbawzzafisnjvupcjmqcgnnzc
lsid
wuvegyspdynrmgwjaabrvycqsvflfaqwqvbbwhwheayikpeityqhhbwkrebdprrfunpkassa
zjks
bjbljccayukcunsltcsfcisvczdmllbhakvdhjpwvwcyhcwtrrfympomnyqhgrwxfrmdfgwz
urqy
etwhonzqhhkutwtsfbnkommwwnrjnqdydsrhqkfpppkgarcmbgreqhttsqwtamcydzyikwll
ggmj
ymjdwmejkqgnokvwqzikzyqhtzasenmzuwrermkdmoqwjwukvyemykcwggmloirclztortqi
inta
jvjsydfoilkbirsdufhtjhtbnwhndwmrcuxdoqftehkyuarnievievwmppswzikybdngriow
vpzw
nqoqyxmtjjyrputlwdjzhtnysfyhdmvfxfpgobsrdszabqmvwdckrtasqydfoljozytxoeyr
lmmm
usekbnvkuoqwpaajyseilchllqpesopqsaaaltaqzqpppzqcucvolxojfzptqghfzelnfbaf
sjof
zivwwbxvsxporytpnpicsoqevafbtlphveckdzumcxqybdkeckdldrjavbimfzhbemdlriao
mspk
xdcfztfcbkwhspqfzlohwqmvajljjmertfjhgmphbdsnuzkqdpxjhcumsadomgkhvccbclur
gesq
qjjffgomwssmmfsjlyoeigognydawhawstmwenyxoeyelskjbiaxfmibjhjvxfqgifabphqp
rrfz
bhucyzcrahbhyjifdbdzkgfizbviurmsczmbfoxbuyqxglqxbvtlmjcuvssefygjupodmsmv
kjfa
peronpmpnvypgsqkcysqzrbissmguficzjtiukhuzphkthqpvdxlaechpcafgvnpxdxpdpik
sdjm
nsvbvcmdveejitbhovacgtjdvswrrclnpvgbfgqjvmlyovtkihjgoujatzxrnomtlstsgjpd
dzlm
trjvawvfvwvvhdkjkjboyoedatwrcfqqmzpkvnymnxubgswmmmmrfhfnqoupgmqwiyepifae
xrra
xxedtqvypeoxbuxikduwcmfottmanahslgtfuikndbkswubebhxaihtcsuddpcapafdrxrre
mxwj
wppkzmhmtmlwzouaqpbxyhaizwzkoxptaejbolihyabwvtnsssdwryyknanjlxrtviwvobon
fews
xudnndzdnilfqwsguaguexoulkoxeurjxampbxfsecqoxhbsruhlkqhsidlchxrctp/.././
%4d%
4c%4f%47%2e%50%48%54%4d%4c HTTP/1.0


It doesn't look like codered/nimda so what could it be? and whats it
trying
to do?


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: