Security Incidents mailing list archives
RE: Need help to find web server attacks signature
From: "Mike Brownbill" <mike.brownbill () dsl pipex com>
Date: Wed, 22 Oct 2003 20:49:54 +0100
I can't name the scanner itself but it's looking like a simple brute-force against a list of forum scripts (most likely vulnerable) which the attacker has. A probable explanation for the request of the images is to enumerate whether or not the forum which uses said images is present on the server. It's a very cack-handed attack - a more intelligent/experienced attacker would have used google to check for the forum/(whatever system, looks like a forum with age.pl/header.php, etc)'s existence on the server rather than doing it in this manner. The fact that further down the page you see an attempt to tunnel the /etc/passwd file from an IIS server(?!?!?) points to a script kiddy. If I was you I'd check that the relevant scripts that got a 200 are up to date with the latest vendor patches - if you are very concerned then do a whois on the attacking ip and contact their ISP. As I have said in a very round and about manner, it's a rather awfully attempted attack and doesn't point to the webserver being targetted personally (again, probably just a script kiddy scanning about - an attacked with intent of taking that specific site would have a better knowledge of the site and it's scripts. Anywho, hope that helps, Mike Brownbill -----Original Message----- From: Maxime Ducharme [mailto:maxime () pandore-design com] Sent: Wednesday, October 22, 2003 6:43 PM To: incidents () securityfocus com Subject: Need help to find web server attacks signature Hi all, i'd need help to identify an attack that happened on one of our customer's web server yesterday, I put the log file here : http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt I see some attacks that seem to be a security scanner tool, and some attacks which targets specific pages of the web site (where we begin to see 200 responses from the web server). Someone recognize a tool / virus / worm in this ? Thanks in advance for help --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
Current thread:
- Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
- Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Bogus DNS traffic David Gillett (Oct 23)
- Re: Bogus DNS traffic Brian Collins (Oct 23)
- Re: Bogus DNS traffic Robert Lowe (Oct 23)
- Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)