Re: Strange web vulnerability scanner

[Jorge Silva <j.silva () IEEE org>]

Hi,

That's an anti-IDS technique. CUM security toolkit lets you modify a lot 
of headers.

js

Joao Gouveia wrote:

> Hello list,
>
>
> I've got today a series of alerts logged on my IDS regarding multiple
> known web servers/applications vulnerabilities.
> On a normal situation, I would find that "normal", since it happens on a
> regular basis.
> The strange thing of this scan, with fixed source I.P., was that, by
> analizing packet payload, I noticed that the User-Agent host header user
> contained diferent (very diferent ) values for each request. And I do
> mean a diferent user-agent for each one.
> The first thing that came to mind was that it might just be gateway or
> some kind of proxy forwarding the requests. But I would find that rather
> dificult because mainly because of two facts:
> A - Source port allways increments by one.
> B - All requests (96) where made on an interval window of 7 seconds.
>
> My question is simple and related only with curiosity. Does anyone here
> knows of a tool that acts like this?
>
> For the curious, the user-agent's sent where all variations of:
> Mozilla/3.01
> Mozilla/4.0
> Mozilla/4.6
> Mozilla/4.7
> Mozilla/4.72
> Mozilla/4.73
>
>
> Thanks in advance,
>
> Joao Gouveia
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
>
>
> .
>
>  

--
Jorge Silva




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com