Re: IIS 5, WIN2K scans?

From: Shaun Dewberry (shaundat_private)
Date: Sat May 05 2001 - 06:01:53 PDT

Next message: Talley, Brooks: "Any defense against ping flood?"

Previous message: Jason Storm: "Re: Backdoor Q access?"
In reply to: Shaun Dewberry: "IIS 5, WIN2K scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So I donned my black hat and mask and did a little investigating - seems the
box which the probes are coming from is a Linux box in korea. I received 4
of the same probes at intervals throughout yesterday - probably linked to
the fact that I'm running 4 websites off the same machine. Must be scanning
the .co.za domain namespace.
The scanning machine's port 21 was open so I grabbed the banner - wuftpd
2.6. Guest access is closed so the machine was probably a redhat 6.2 box
default install that got exploited and has now been patched by the attacker.
This is not the first korean machine to try Windows exploits on my machine -
from my previous experiences the rooted machines belong to a korean ISP.
Unfortunately no contact has been made with the above ISP.
Be prepared to see a lot of .co.za defacements in the near future.

Thanks for your contributions everyone.
Shaun.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTSat_private]On
Behalf Of Shaun Dewberry
Sent: 04 May 2001 04:15
To: INCIDENTSat_private
Subject: IIS 5, WIN2K scans?


Here we go, the kiddies have come out to play again!
Below find the infringing party - another sploited box in korea?...
I didn't read the vulnerability report properly yesterday, but it looks like
the new IIS5, Win2k bug.
Pity I'm not running IIS 5 on Win2000...
Anybody else get anything similar?
Time is GMT+02:00 (South Africa Standard Time).

211.63.33.69 - - [04/May/2001:15:13:44 +0200] "GET /NULL.printer HTTP/1.0"
400 325
211.63.33.69 - - [04/May/2001:15:41:32 +0200] "GET /NULL.printer HTTP/1.0"
400 325
211.63.33.69 - - [04/May/2001:15:52:30 +0200] "GET /NULL.printer HTTP/1.0"
400 325
211.63.33.69 - - [04/May/2001:16:09:33 +0200] "GET /NULL.printer HTTP/1.0"
400 325
211.63.33.69 - - [04/May/2001:16:10:11 +0200] "GET /NULL.printer HTTP/1.0"
400 325

[Fri May  4 15:13:44 2001] [error] [client 211.63.33.69] Client sent
malformed Host header
[Fri May  4 15:41:32 2001] [error] [client 211.63.33.69] Client sent
malformed Host header
[Fri May  4 15:52:30 2001] [error] [client 211.63.33.69] Client sent
malformed Host header
[Fri May  4 16:09:33 2001] [error] [client 211.63.33.69] Client sent
malformed Host header
[Fri May  4 16:10:11 2001] [error] [client 211.63.33.69] Client sent
malformed Host header

Next message: Talley, Brooks: "Any defense against ping flood?"
Previous message: Jason Storm: "Re: Backdoor Q access?"
In reply to: Shaun Dewberry: "IIS 5, WIN2K scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 05 2001 - 07:23:59 PDT