Security Incidents mailing list archives

RE: New attack or old Vulnerability Scanner?

From: "James C. Slora, Jr." <James.Slora () fairfax phra com>
Date: Fri, 25 Apr 2003 15:00:56 -0400

Mark Embrich wrote Thursday, April 24, 2003 7:44 PM

Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included:  "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."


I don't know the tool, but I have seen a similar and possibly related scan before.
http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html

- Indy.Library in user-agent
- Nimda-like directory traversal attempts
- Looks for shell.exe and root.exe and cmd.exe

Mine appeared to come from a Windows box, so I don't think it's a NIX only tool.

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

Current thread:

New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)