Security Incidents mailing list archives
New scanner?
From: Jeremy <prrthd25 () yahoo com>
Date: Wed, 20 Nov 2002 07:29:57 -0800 (PST)
Hello all, My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following: 1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE 1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access 2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization) 6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts. Thanks, Jeremy __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New scanner? Jeremy (Nov 21)
- RE: New scanner? newsletters (Nov 22)
- RE: New scanner? Jason Frey (Nov 25)
- Re: New scanner? Russell Fulton (Nov 24)
- RE: New scanner? newsletters (Nov 22)