Re: New scanner?

[Russell Fulton <r.fulton () auckland ac nz>]

On Thu, 2002-11-21 at 04:29, Jeremy wrote:
> Hello all,
>
>   My snort box picked this up yesterday fron two
> different source ip's and I was wondering if anyone
> had seen this pattern before. Both times snort logged
> 718 alerts consisting of the following:
>
> 1 instances of WEB-IIS multiple decode attempt 
> 1 instances of FTP invalid MODE 
> 1 instances of WEB-MISC http directory traversal 
> 2 instances of WEB-IIS scripts access 
> 2 instances of (spp_portscan2) Portscan detected 
> 3 instances of WEB-IIS Unicode2.pl script (File
> permission canonicalization) 
> 6 instances of POLICY FTP anonymous login attempt 
> 17 instances of WEB-IIS CodeRed v2 root.exe access 
> 685 instances of WEB-IIS cmd.exe access 

I've been seeing many variations on this scheme (but not this exact one)
over the last month or so. Most that I have investigated by looking at
the argus logs are clearly FxScanner (probe to tcp 57 - gives it away).
This tool is really a delivery vehicle for what ever exploits you want
to code into it.  I.e it is easily extend and there are now many
variants floating around.

Our record so far is 40,000 IIS exploits in an hour from one host
delivered to web servers on campus.   I can't remember if it checks to
make sure it is IIS first or not. 


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com