RE: unkown directory traversal attempts

[Rob Keown <Keown () MACDIRECT COM>]

How many of these attempts do you see...looking at the intruding system it
appears like a pretty normal server, behind a firewall. All the same, the
signature is a bit odd looking.

It is coming from a Chinese University...the web server does not appear to
be infected by any know worm (as best I can tell)...was this just a
once-and-done?

NMAP findings:

Host  (202.119.199.39) appears to be up ... good.
Initiating SYN half-open stealth scan against  (202.119.199.39)
Adding TCP port 25 (state open).
Adding TCP port 21 (state open).
Adding TCP port 554 (state open).
Adding TCP port 80 (state open).
Adding TCP port 111 (state open).
Adding TCP port 23 (state open).
The SYN scan took 113 seconds to scan 1523 ports.
Interesting ports on  (202.119.199.39):
(The 1508 ports scanned but not shown below are in state: closed)
Port       State       Service
13/tcp     filtered    daytime                 
21/tcp     open        ftp                     
22/tcp     filtered    ssh                     
23/tcp     open        telnet                  
25/tcp     open        smtp                    
80/tcp     open        http                    
111/tcp    open        sunrpc                  
139/tcp    filtered    netbios-ssn             
554/tcp    open        rtsp                    
1417/tcp   filtered    timbuktu-srv1           
1433/tcp   filtered    ms-sql-s                
1434/tcp   filtered    ms-sql-m                
1723/tcp   filtered    pptp                    
5190/tcp   filtered    aol                     
8888/tcp   filtered    sun-answerbook       

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com