Full Disclosure mailing list archives

Re: Need help to find web server attacks signature

From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Wed, 22 Oct 2003 17:15:28 -0400


I'm currently seeing this scenario :

1. the person get on the web site with his browser (ie6 on xp)
we see some valid GETs at the beginning

2. the person ran one of these tools :
    Nikto : http://www.cirt.net/code/nikto.shtml
    Whisker : http://sourceforge.net/projects/whisker/
    N-Stealth : http://www.nstalker.com/nstealth/
    Retina:  http://www.eeye.com/html/Products/Retina/
   another...

3. The person retry the website to get some URLs
we see some other valid GETs further

4. the person either ran another tools on specific URLs like
Paul just said



The source IP isnt listed in DShield or mynetwatchman

The server doesnt show any weird behavior, neither have
weird traffic going on

We are thinking URLScan did a good job :)

Thanks all for your replies

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur


----- Original Message ----- 
From: "Schmehl, Paul L" <pauls () utdallas edu>
To: "Maxime Ducharme" <maxime () pandore-design com>;
<full-disclosure () lists netsys com>
Sent: Wednesday, October 22, 2003 4:05 PM
Subject: RE: [Full-disclosure] Need help to find web server attacks
signature

-----Original Message-----
From: Maxime Ducharme [mailto:maxime () pandore-design com]
Sent: Wednesday, October 22, 2003 12:40 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Need help to find web server
attacks signature


Hi all,
    i'd need help to identify an attack that happened on one
of our customer's web server yesterday, I put the log file
here :
http://www.pandore-design.com/security/2003-10-21-IIS-attack.t

xt

Looks like a vuln scanner that's designed to try a number of default
install mistakes to see if anything works.  The previous poster may be
correct that it was NIKTO.  Could also be whisker or stealth.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Need help to find web server attacks signature Discini, Sonny (Oct 22)
- <Possible follow-ups>
- Re: Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- RE: Need help to find web server attacks signature Schmehl, Paul L (Oct 22)
  - Re: Need help to find web server attacks signature Maxime Ducharme (Oct 22)