Security Incidents mailing list archives
Re: Question
From: jnf <sin () asu edu>
Date: Tue, 04 Sep 2001 08:49:28 -0700 (MST)
i didnt read your whole post, but looking through the little i did, yes that looks like a scanner, it looks like they were actually focused on one os, no you probably dont have anything much to worry about, everyone i saw was a 404 error, if they got in, they prolly would've cleaned the logs, keep an eye out for anything strange, in case it wasnt just a random scan, check to make sure none of those files exist- but overall your probably safe and yes that was a scanner- look @ the time stamps, within seconds, this person left a huge footprint. you probably have nothing to worry about, just go check and make sure you have no known vulnerabilities, and make sure none of those file exist, prolly even want to look at wherever people with ms products look at for security bulletins and see if theres anything new. but this is just imho // jnf Quoting "Hill, James" <jhill () sanitorsinc com>:
I have been getting this on the two web servers I run internally
(Apache
Using Jakarta). After a long weekend I came in and started reading my
logs,
and noticed this on both the web servers almost identical information
on
them. My question is this a tool (script) doing this and is it
something
that is doing mass scans?
JH
--->LOG
2001-09-03 11:11:07 - Ctx( ): 404 R( + /C:/temp/\../ + null) null
2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FlagShip_c + null)
null
2001-09-03 11:11:07 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null)
null
2001-09-03 11:11:07 - Ctx( ): 404 R( +
/Sites/Knowledge/Membership/Inspiredtut
orial/ViewCode.asp + null) null
2001-09-03 11:11:07 - Ctx( ): 404 R( +
/WCB/databases/instructors.passwd +
nul
l) null
2001-09-03 11:11:07 - Ctx( ): 404 R( + /perl/files.pl + null) null
2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FSserial + null)
null
2001-09-03 11:11:07 - Ctx( ): 404 R( +
/Sites/Knowledge/Membership/Inspired/Vi
ewCode.asp + null) null
2001-09-03 11:11:07 - Ctx( ): 404 R( + /_vti_pvt/users.pwd + null)
null
2001-09-03 11:11:07 - Ctx( ): 404 R( + SnapStream + null) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /usr/bin/FSserial + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd1.exe +
null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/Sites/Knowledge/Membership/Inspired/Vi
ewCode.asp + null) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat
+
null) nu
ll
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/cgi-bin/replicator/webpage.cgi/ +
null
) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /scripts/tradecli.dll + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cart.pl + null) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cartmanager.cgi +
null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/cfdocs/exampleapp/publish/admin/addcon
tent.cfm + null) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/cgi-bin/ezshopper3/loadpage.cgi +
null
) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/interscan/cgi-bin/HttpSaveCSP.dll
+ nu
ll) null
2001-09-03 11:11:08 - Ctx( ): 404 R( +
/cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
stem32/cmd.exe + null) null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null)
null
2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( +
/interscan/cgi-bin/HttpSaveCSP.dll
+ nu
ll) null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /4DBin/_/C:/winnt/repair/sam._
+
null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( +
/cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
stem32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat
+
null) nu
ll
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( +
/iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
system32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe +
null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp2.cgi
+
null) nu
ll
2001-09-03 11:11:09 - Ctx( ): 404 R( +
/iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
system32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null)
null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi
+
null) nu
ll
2001-09-03 11:11:09 - Ctx( ): 404 R( +
/_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
ystem32/cmd.exe + null) null
2001-09-03 11:11:09 - Ctx( ): 404 R( + /../../../boot.ini + null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /scripts/passwd.txt .pl +
null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/lister + null) null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /doc/packages/ + null) null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi
+
null) nu
ll
2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe +
null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi
+
null) nu
ll
2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null)
null
2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null)
null
2001-09-03 11:11:11 - Ctx( ): 404 R( +
/_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
ystem32/cmd.exe + null) null
2001-09-03 11:11:11 - Ctx( ): 404 R( + /../../../boot.ini + null)
null
2001-09-03 11:11:11 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi
+
null) nu
ll
2001-09-03 11:11:11 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null)
null
2001-09-03 11:11:11 - Ctx( ): 404 R( +
/msadc/..%5c..%5c/..%5c..%5c/winnt/syst
em32/cmd.exe + null) null
2001-09-03 11:11:12 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in
socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:86)
at
java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
at
java.io.BufferedInputStream.read(BufferedInputStream.java:204)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Thread.java:484)
2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null
2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null
2001-09-03 11:11:14 - Ctx( ): 404 R( + /includes/global.inc + null)
null
2001-09-03 11:11:15 - Ctx( ): 404 R( + /global.asa .htr + null) null
2001-09-03 11:11:15 - Ctx( ): 404 R( + /pollit/Poll_It_v2.0.cgi +
null)
null
2001-09-03 11:11:15 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq
+
null)
null
2001-09-03 11:11:16 - Ctx( ): 404 R( + /cfdocs/expeval/sendmail.cfm
+
null) nu
ll
2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/wais + null) null
2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null
2001-09-03 11:11:16 - Ctx( ): 404 R( + SnapStream + null) null
2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null)
null
2001-09-03 11:11:16 - Ctx( ): 404 R( + /officescan/cgi/jdkRqNotify.exe
+
null)
null
2001-09-03 11:11:17 - Ctx( ): 404 R( + SnapStream + null) null
2001-09-03 11:11:17 - Ctx( ): 404 R( +
/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
null) null
2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq
+
null)
null
2001-09-03 11:11:17 - Ctx( ): 404 R( +
/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
null) null
2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/query.idq
+
null)
null
2001-09-03 11:11:18 - Ctx( ): 404 R( + /iissamples/issamples/query.idq
+
null)
null
2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/wais + null) null
2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null
2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null)
null
2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null)
null
2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null)
null
2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null)
null
2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null)
null
2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null)
null
2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/simplestmail.cgi +
null)
null
2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null
2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null
2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null)
null
2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null)
null
2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null)
null
2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null)
null
2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null
2001-09-03 11:11:24 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null
2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null)
null
2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null)
null
2001-09-03 11:11:25 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /iisadmpwd/ + null) null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl +
null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( +
/msadc/..%5c..%5c/..%5c..%5c/winnt/syst
em32/cmd.exe + null) null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /.nsf/../winnt/win.ini + null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( +
/iissamples/exair/howitworks/codebrws.a
sp + null) null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl +
null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( +
/scripts/..%5c..%5cwinnt/system32/cmd.e
xe + null) null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null)
null
2001-09-03 11:11:27 - Ctx( ): 404 R( +
/scripts/..%5c..%5cwinnt/system32/cmd.e
xe + null) null
2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null)
null
2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null)
null
2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null)
null
2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null)
null
2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null
2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null)
null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null)
null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null)
null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null)
null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null)
null
2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null)
null
2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null)
null
2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null
2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null
2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null)
null
2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null)
null
2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null
2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null
2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null
2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null
2001-09-03 11:11:32 - Ctx( ): 404 R( + /scripts/sensepost.exe + null)
null
2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/sensepost.exe + null)
null
2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null)
null
2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null)
null
2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null
2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null
2001-09-03 11:11:43 - Ctx( ): 404 R( + /sensepost.exe + null) null
2001-09-03 11:11:44 - Ctx( ): 404 R( + /sensepost.exe + null) null
2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null
2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null
2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd.exe + null) null
2001-09-03 11:11:45 - Ctx( ): 404 R( + /cmd.exe + null) null
End <--
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
// jnf ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Question Hill, James (Sep 04)
- Re: Question jnf (Sep 04)
- <Possible follow-ups>
- RE: Question McCammon, Keith (Sep 04)