Security Incidents mailing list archives
Re: New attack or old Vulnerability Scanner?
From: Mark Embrich <mark_embrich () yahoo com>
Date: 29 Apr 2003 18:34:03 -0000
In-Reply-To: <OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468 () us ibm com> Hello Jason, Thanks for your help.
Can you post (or provide a link) to the full tcpdump traces for this scan pattern? It might aid in the analysis.
The full tcpdump trace is quite long, about 1.7MB per attack, so I can't post it here. It would be a real pain-in-the-ass to sanitize it, so I don't really want to post or distribute it anyway. If you really, really want to take a look at it, I can sanitize it and email it to you directly.
When you say TCP connect, I assume you mean that you saw a simple connection to see if the port is listening (as accomplished with '$ nmap -sT ...'). Or did you also see a HEAD or GET request to determine if
this
was an IIS server?
I mean a simple connection to the port, not a HEAD or GET. This attack didn't care that I was not running IIS. I also did not see a ping sweep prior to the attacks, although I only checked up to 2 hours earlier. Thank you, Mark Embrich ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)