So I donned my black hat and mask and did a little investigating - seems the box which the probes are coming from is a Linux box in korea. I received 4 of the same probes at intervals throughout yesterday - probably linked to the fact that I'm running 4 websites off the same machine. Must be scanning the .co.za domain namespace. The scanning machine's port 21 was open so I grabbed the banner - wuftpd 2.6. Guest access is closed so the machine was probably a redhat 6.2 box default install that got exploited and has now been patched by the attacker. This is not the first korean machine to try Windows exploits on my machine - from my previous experiences the rooted machines belong to a korean ISP. Unfortunately no contact has been made with the above ISP. Be prepared to see a lot of .co.za defacements in the near future. Thanks for your contributions everyone. Shaun. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTSat_private]On Behalf Of Shaun Dewberry Sent: 04 May 2001 04:15 To: INCIDENTSat_private Subject: IIS 5, WIN2K scans? Here we go, the kiddies have come out to play again! Below find the infringing party - another sploited box in korea?... I didn't read the vulnerability report properly yesterday, but it looks like the new IIS5, Win2k bug. Pity I'm not running IIS 5 on Win2000... Anybody else get anything similar? Time is GMT+02:00 (South Africa Standard Time). 211.63.33.69 - - [04/May/2001:15:13:44 +0200] "GET /NULL.printer HTTP/1.0" 400 325 211.63.33.69 - - [04/May/2001:15:41:32 +0200] "GET /NULL.printer HTTP/1.0" 400 325 211.63.33.69 - - [04/May/2001:15:52:30 +0200] "GET /NULL.printer HTTP/1.0" 400 325 211.63.33.69 - - [04/May/2001:16:09:33 +0200] "GET /NULL.printer HTTP/1.0" 400 325 211.63.33.69 - - [04/May/2001:16:10:11 +0200] "GET /NULL.printer HTTP/1.0" 400 325 [Fri May 4 15:13:44 2001] [error] [client 211.63.33.69] Client sent malformed Host header [Fri May 4 15:41:32 2001] [error] [client 211.63.33.69] Client sent malformed Host header [Fri May 4 15:52:30 2001] [error] [client 211.63.33.69] Client sent malformed Host header [Fri May 4 16:09:33 2001] [error] [client 211.63.33.69] Client sent malformed Host header [Fri May 4 16:10:11 2001] [error] [client 211.63.33.69] Client sent malformed Host header
This archive was generated by hypermail 2b30 : Sat May 05 2001 - 07:23:59 PDT