Security Incidents mailing list archives

Re: site probe

From: mark Hoffman <mhoffman1 () iowatelecom net>
Date: Thu, 5 Oct 2006 22:22:58 -0500

On Thursday 05 October 2006 12:21 pm, dso wrote:

This may shed some light. 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5152
Or isc.sans.org

I got an interesting series of 404s on my website from
211-72-233-10.HINET-IP.hinet.net

tcnuke appears to be a Chinese web portal system like phpnuke

I usually get these kind of probes after an exploit has been found.

In order from last to first 404

/tcnuke/bbmpg12418.zip
/images/bbmpeg.html
/tcnuke/asftools310_tw.zip
/images/asftools310.exe
/tcnuke/ttpsetup_cht.exe
/tcnuke/xmplay33.zip
/tcnuke/xmplay.html
/tcnuke/player.php
/tcnuke/cwinamp5094.exe
/tcnuke/winamp53_pro.exe
/tcnuke/downloader.php?plugin=2
/tcnuke/qcd451.exe
/tcnuke/DLM_2200046_CHT.exe
/tcnuke/mmsetup_10004015c_ENU.exe
/tcnuke/3000-2167_4-10495839.html?tag=pdp_prod
/includes/iTunesSetup.exe
/includes/foobar2000_0.9.4.exe
/hc/qcd451.exe
/hc/bbmpg12418.zip
/hc/asftools310_tw.zip
/hc/FreeMeterSetup.exe
/hc/bitpro.exe
/hc/cwinamp5094.exe
/hc/winamp53_pro.exe
/hc/3000-2121_4-10492453.html
/hc/DLM_2200046_CHT.exe
/hc/mmsetup_10004015c_ENU.exe
/hc/3000-2167_4-10495839.html?tag=pdp_prod
/includes/3DMark06_v102_installer.exe
/de/
/badfs/badfs/tw2/
/support/downloads/
/products/dexp/downloads/
/arc/
/lightning/
/images/heliattack2.php
/images/view.php?nid=64
/tcnuke/d-6.htm
/FastStone-Image-Viewer/
/games/cubis2/play/
/customer/

Daniel


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

site probe dso (Oct 05)
- Re: site probe mark Hoffman (Oct 06)
- <Possible follow-ups>
- RE: site probe Zed Qyves (Oct 06)