Security Incidents mailing list archives

AW: strange .ch scan by 195.141.86.145

From: "Pascal C. Kocher" <pascal.kocher () netbeat biz>
Date: Tue, 28 May 2002 09:03:32 +0200

Hi all

Hi, I just noticed a strange scan in the web logs of all .ch and .li 
domains. Friends recognized similar scans. So far I dont know what 
the purpose of this scan is... MS collection information?

/www/www.swordlord.ch/access_log:195.141.86.145 - - 
[24/May/2002:20:50:05 +0200] "GET 
http://www.swordlord.ch/hgfserd.aspx HTTP/1.0" 302 289 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 
1.0.3705)"


We recorded the same pattern on all of our virtual servers. Preceeding
that pattern, on an irregular timed basis they where trying to get
http://www.w3c.org (as proxy).

Can you also confirm this?

Best regards,
Pascal.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

AW: strange .ch scan by 195.141.86.145 Pascal C. Kocher (May 28)
- Re: AW: strange .ch scan by 195.141.86.145 Rainer Duffner (May 30)