Re: New attack or old Vulnerability Scanner?

[Mark Embrich <mark_embrich () yahoo com>]

In-Reply-To: <OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468 () us ibm com>

Hello Jason,

Thanks for your help.

> Can you post (or provide a link) to the full tcpdump traces for this scan 
> pattern?  It might aid in the analysis.

The full tcpdump trace is quite long, about 1.7MB per attack, so I can't 
post it here.  It would be a real pain-in-the-ass to sanitize it, so I 
don't really want to post or distribute it anyway.  If you really, really 
want to take a look at it, I can sanitize it and email it to you directly.

> When you say TCP connect, I assume you mean that you saw a simple 
> connection to see if the port is listening (as accomplished with '$ nmap 
> -sT ...').  Or did you also see a HEAD or GET request to determine if 
this 
> was an IIS server?

I mean a simple connection to the port, not a HEAD or GET.
This attack didn't care that I was not running IIS.

I also did not see a ping sweep prior to the attacks, although I only 
checked up to 2 hours earlier.

Thank you,
Mark Embrich

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------