Snort mailing list archives

attack

From: "Scott Taylor" <scottt () soccer com>
Date: Fri, 22 Feb 2002 10:53:26 -0800

So what's the best thing to do with this type of attack? Turn'em in?
To who? Is there a way I can let them know that I know what their 
doing? Any ideas?

Cheers,
Scott


[**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:24.084478 63.204.135.168:2313 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:56799 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x841E21B Ack: 0x21DA22E5 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:26.015481 63.204.135.168:2415 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57061 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x897EDD4 Ack: 0x221B03CF Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:27.841065 63.204.135.168:2484 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57309 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8CD3F1E Ack: 0x21FF7EA1 Win: 0x4248 TcpLen: 20 

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable web application] 
[Priority: 2]
02/22-10:13:29.720477 63.204.135.168:2572 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57558 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9162D26 Ack: 0x22164ADC Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:31.651168 63.204.135.168:2658 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57814 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x95C4B1D Ack: 0x21AF8A4E Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:33.689744 63.204.135.168:2740 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58087 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x9A01736 Ack: 0x22220C8E Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:35.794798 63.204.135.168:2839 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58370 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9F34819 Ack: 0x2254F005 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:37.904728 63.204.135.168:2923 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58654 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA3660EC Ack: 0x22D1A6E7 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:40.239684 63.204.135.168:3022 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58965 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA882856 Ack: 0x22BD9884 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:42.598231 63.204.135.168:3126 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59278 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xADC9A9C Ack: 0x22C0BEF4 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:44.946090 63.204.135.168:3227 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59592 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xB2DF585 Ack: 0x230644E9 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:47.344817 63.204.135.168:3337 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59917 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB85E8FA Ack: 0x233A0541 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:49.826087 63.204.135.168:3440 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:60246 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xBDABDF7 Ack: 0x238A2DB3 Win: 0x4248 TcpLen: 20 

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:52.532260 63.204.135.168:3554 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:60606 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xC37CE49 Ack: 0x22E5E0D1 Win: 0x4248 TcpLen: 20 



THERE IS ONLY ONE... 
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

attack Scott Taylor (Feb 22)
- Re: attack Erek Adams (Feb 22)
  - Re: attack Phil Wood (Feb 22)
- RE: attack Wayne Work (Feb 22)
- Re: attack Skip Carter (Feb 22)
  - A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
    - Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
    - Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
    - Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
    - Message not available
    - Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
    - Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)

(Thread continues...)