RE: Need help to find web server attacks signature

["Mike Brownbill" <mike.brownbill () dsl pipex com>]

I can't name the scanner itself but it's looking like a simple brute-force
against a list of forum scripts (most likely vulnerable) which the attacker
has. A probable explanation for the request of the images is to enumerate
whether or not the forum which uses said images is present on the server.
It's a very cack-handed attack - a more intelligent/experienced attacker
would have used google to check for the forum/(whatever system, looks like a
forum with age.pl/header.php, etc)'s existence on the server rather than
doing it in this manner. The fact that further down the page you see an
attempt to tunnel the /etc/passwd file from an IIS server(?!?!?) points to a
script kiddy. If I was you I'd check that the relevant scripts that got a
200 are up to date with the latest vendor patches - if you are very
concerned then do a whois on the attacking ip and contact their ISP. As I
have said in a very round and about manner, it's a rather awfully attempted
attack and doesn't point to the webserver being targetted personally (again,
probably just a script kiddy scanning about - an attacked with intent of
taking that specific site would have a better knowledge of the site and it's
scripts.
Anywho, hope that helps,

Mike Brownbill

-----Original Message-----
From: Maxime Ducharme [mailto:maxime () pandore-design com]
Sent: Wednesday, October 22, 2003 6:43 PM
To: incidents () securityfocus com
Subject: Need help to find web server attacks signature



Hi all,
    i'd need help to identify an attack that happened on one of our
customer's web server yesterday, I put the log file here :
http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt

I see some attacks that seem to be a security scanner tool,
and some attacks which targets specific pages of the web site
(where we begin to see 200 responses from the web server).

Someone recognize a tool / virus / worm in this ?

Thanks in advance for help

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------