Security Incidents mailing list archives
RE: Cobalt Scan
From: Tom Laermans <tom.laermans () powersource cx>
Date: Mon, 30 Jul 2001 20:18:29 +0200
Hi,
> Name: ariston.netcraft.com > Address: 195.92.95.61 I've made the double check and used netcraft to examine one of my servers. The results are different from the request for cobalt-images seen so far: wooster.netcraft.com - - [27/Jul/2001:13:07:03 +0200] "HEAD / HTTP/1.1"200 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"jumble.netcraft.com - - [28/Jul/2001:23:57:51 +0200] "HEAD / HTTP/1.0"200 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"
These aren't cobalt-images requests, are they?
So it isn't the normal probe that everbody can use, but something special. Speculations about the intended usage of the data are left to the reader.
I think it's something like this: 1) When you do a scan yourself on your server, you get what you see above,2) When netcraft scans you automatically (daily I think, if you're in the correct queue) it uses the other way (the way you have seen before).
I don't know if this is correct, I have not checked and cannot check in the very near future :-/
HTH, Tom ------------------------------------------------- Web: http://www.powersource.cx --- ICQ#: 12120754 Also check this out: http://kickme.to/sidewinder Need some cheats?? http://www.chaos-cheatbase.com Keep Fido&BBS Alive! http://skynetbbs.dyns.cx ------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Cobalt Scan Ryan W. Maple (Jul 26)
- <Possible follow-ups>
- RE: Cobalt Scan Jeroen Wesbeek (Jul 29)
- RE: Cobalt Scan Sven Carstens (Jul 30)
- RE: Cobalt Scan Tom Laermans (Jul 30)
- RE: Cobalt Scan Sven Carstens (Jul 30)