Security Incidents mailing list archives
Re: Question
From: jnf <sin () asu edu>
Date: Tue, 04 Sep 2001 08:49:28 -0700 (MST)
i didnt read your whole post, but looking through the little i did, yes that looks like a scanner, it looks like they were actually focused on one os, no you probably dont have anything much to worry about, everyone i saw was a 404 error, if they got in, they prolly would've cleaned the logs, keep an eye out for anything strange, in case it wasnt just a random scan, check to make sure none of those files exist- but overall your probably safe and yes that was a scanner- look @ the time stamps, within seconds, this person left a huge footprint. you probably have nothing to worry about, just go check and make sure you have no known vulnerabilities, and make sure none of those file exist, prolly even want to look at wherever people with ms products look at for security bulletins and see if theres anything new. but this is just imho // jnf Quoting "Hill, James" <jhill () sanitorsinc com>:
I have been getting this on the two web servers I run internally (Apache Using Jakarta). After a long weekend I came in and started reading my logs, and noticed this on both the web servers almost identical information on them. My question is this a tool (script) doing this and is it something that is doing mass scans? JH --->LOG 2001-09-03 11:11:07 - Ctx( ): 404 R( + /C:/temp/\../ + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FlagShip_c + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /Sites/Knowledge/Membership/Inspiredtut orial/ViewCode.asp + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /WCB/databases/instructors.passwd + nul l) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /perl/files.pl + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FSserial + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /Sites/Knowledge/Membership/Inspired/Vi ewCode.asp + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + /_vti_pvt/users.pwd + null) null 2001-09-03 11:11:07 - Ctx( ): 404 R( + SnapStream + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /usr/bin/FSserial + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd1.exe + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /Sites/Knowledge/Membership/Inspired/Vi ewCode.asp + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat + null) nu ll 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/replicator/webpage.cgi/ + null ) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /scripts/tradecli.dll + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cart.pl + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cartmanager.cgi + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cfdocs/exampleapp/publish/admin/addcon tent.cfm + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/ezshopper3/loadpage.cgi + null ) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /interscan/cgi-bin/HttpSaveCSP.dll + nu ll) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy stem32/cmd.exe + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null) null 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /interscan/cgi-bin/HttpSaveCSP.dll + nu ll) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /4DBin/_/C:/winnt/repair/sam._ + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy stem32/cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat + null) nu ll 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/ system32/cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp2.cgi + null) nu ll 2001-09-03 11:11:09 - Ctx( ): 404 R( + /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/ system32/cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi + null) nu ll 2001-09-03 11:11:09 - Ctx( ): 404 R( + /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s ystem32/cmd.exe + null) null 2001-09-03 11:11:09 - Ctx( ): 404 R( + /../../../boot.ini + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /scripts/passwd.txt .pl + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/lister + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /doc/packages/ + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi + null) nu ll 2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi + null) nu ll 2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null) null 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null) null 2001-09-03 11:11:11 - Ctx( ): 404 R( + /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s ystem32/cmd.exe + null) null 2001-09-03 11:11:11 - Ctx( ): 404 R( + /../../../boot.ini + null) null 2001-09-03 11:11:11 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi + null) nu ll 2001-09-03 11:11:11 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null) null 2001-09-03 11:11:11 - Ctx( ): 404 R( + /msadc/..%5c..%5c/..%5c..%5c/winnt/syst em32/cmd.exe + null) null 2001-09-03 11:11:12 - ContextManager: SocketException reading request, ignored - java.net.SocketException: Connection reset by peer: JVM_recv in socket input st ream read at java.net.SocketInputStream.socketRead(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:86) at java.io.BufferedInputStream.fill(BufferedInputStream.java:186) at java.io.BufferedInputStream.read(BufferedInputStream.java:204) at org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA dapter.java:115) at org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ letInputStream.java:106) at org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle tInputStream.java:128) at javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138 ) at org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt pRequestAdapter.java:129) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio n(HttpConnectionHandler.java:198) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java: 416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java :501) at java.lang.Thread.run(Thread.java:484) 2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null 2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null 2001-09-03 11:11:14 - Ctx( ): 404 R( + /includes/global.inc + null) null 2001-09-03 11:11:15 - Ctx( ): 404 R( + /global.asa .htr + null) null 2001-09-03 11:11:15 - Ctx( ): 404 R( + /pollit/Poll_It_v2.0.cgi + null) null 2001-09-03 11:11:15 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq + null) null 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cfdocs/expeval/sendmail.cfm + null) nu ll 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/wais + null) null 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null 2001-09-03 11:11:16 - Ctx( ): 404 R( + SnapStream + null) null 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null) null 2001-09-03 11:11:16 - Ctx( ): 404 R( + /officescan/cgi/jdkRqNotify.exe + null) null 2001-09-03 11:11:17 - Ctx( ): 404 R( + SnapStream + null) null 2001-09-03 11:11:17 - Ctx( ): 404 R( + /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi + null) null 2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq + null) null 2001-09-03 11:11:17 - Ctx( ): 404 R( + /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi + null) null 2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/query.idq + null) null 2001-09-03 11:11:18 - Ctx( ): 404 R( + /iissamples/issamples/query.idq + null) null 2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/wais + null) null 2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null 2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null) null 2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null) null 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null) null 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null) null 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null) null 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null) null 2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/simplestmail.cgi + null) null 2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null 2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null 2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null) null 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null) null 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null) null 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null) null 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null 2001-09-03 11:11:24 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null 2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null) null 2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null) null 2001-09-03 11:11:25 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /iisadmpwd/ + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /msadc/..%5c..%5c/..%5c..%5c/winnt/syst em32/cmd.exe + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /.nsf/../winnt/win.ini + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /iissamples/exair/howitworks/codebrws.a sp + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /scripts/..%5c..%5cwinnt/system32/cmd.e xe + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /scripts/..%5c..%5cwinnt/system32/cmd.e xe + null) null 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null) null 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null) null 2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null) null 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null) null 2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null) null 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null) null 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null) null 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null) null 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null) null 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null 2001-09-03 11:11:32 - Ctx( ): 404 R( + /scripts/sensepost.exe + null) null 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/sensepost.exe + null) null 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null) null 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null) null 2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null 2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null 2001-09-03 11:11:43 - Ctx( ): 404 R( + /sensepost.exe + null) null 2001-09-03 11:11:44 - Ctx( ): 404 R( + /sensepost.exe + null) null 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd.exe + null) null 2001-09-03 11:11:45 - Ctx( ): 404 R( + /cmd.exe + null) null End <-- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
// jnf ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Question Hill, James (Sep 04)
- Re: Question jnf (Sep 04)
- <Possible follow-ups>
- RE: Question McCammon, Keith (Sep 04)