Security Incidents mailing list archives

Re: Need help to find web server attacks signature

From: Fatih Özavcı <holden () siyahsapka com>
Date: 23 Oct 2003 11:38:19 +0000

Maybe attacker used a cgi scanner like whisker or nikto. This log
contains some whell-known vulnerable cgi's, misconfigured admin pages
and vulnerable php applications.

I don't think it's Retina. Retina can scan only some whell-known
vulnerabilities or buffer overflows and focused windows applications.
But i found some cgi applications for *nix in this log. I think it's a
cgi scanner.


-- 
Fatih Ozavci
IT Security Consultant

On Wed, 2003-10-22 at 19:23, Muhammad Naseer wrote:

Sounds to be Retina using CHM for HTTP.


Naseer


----- Original Message ----- 
From: "Maxime Ducharme" <maxime () pandore-design com>
To: <incidents () securityfocus com>
Sent: Wednesday, October 22, 2003 10:43 PM
Subject: Need help to find web server attacks signature


Hi all,
    i'd need help to identify an attack that happened on one of our
customer's web server yesterday, I put the log file here :
http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt

I see some attacks that seem to be a security scanner tool,
and some attacks which targets specific pages of the web site
(where we begin to see 200 responses from the web server).

Someone recognize a tool / virus / worm in this ?

Thanks in advance for help

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur



--------------------------------------------------------------------------

FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015




---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

Current thread:

Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
  - Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
  - RE: Bogus DNS traffic Mike Anderson (Oct 23)
    - RE: Bogus DNS traffic David Gillett (Oct 23)
  - Re: Bogus DNS traffic Brian Collins (Oct 23)
  - Re: Bogus DNS traffic Robert Lowe (Oct 23)
  - Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)