Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Increased IIS scans mainly on 66.0.0.0/8 - Update

From: "Richard Gilman" <Richard.Gilman () ntn com>
Date: Mon, 19 Aug 2002 08:19:12 -0700
I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our
66.0.0.0/8 network and I see 31 sources each send in multiples of 13
attempts. Of the 31 hosts, 3 sources were not from 66/8. One of those
was from wanadoo.fr with 130 hits. The hits can come as fast as 2 per
second, so I assume that it has to be scripted. This is only an
annoyance and does not do anything more that make noise in my logs, but
I think it is some sort of worm because of the fact they all send in
multiples of 13 and it seems that the odds of having 31 script kiddies
running the same script against our site in the same day is fairly low
and over a month we have 448 different sources doing the same thing.
Just an observation if you are interested.

 

Rich

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: