Greetings, I just got scanned from 211.100.7.29 on port 80. Snort picked up the scan and alerted me. Check out the request: 54 20 68 74 74 70 3A 2F 2F 61 73 69 61 31 2E 76 T http://asia1.v 72 39 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F 76 r9.com/cgi-bin/v 65 72 2E 63 67 69 3F 66 69 6C 65 3D 2E 2E 2F 73 er.cgi?file=../s 65 61 72 63 68 2E 68 74 6D 26 70 6F 72 74 3D 38 earch.htm&port=8 30 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 0 HTTP/1.1..Host 3A 20 61 73 69 61 31 2E 76 72 39 2E 63 6F 6D 0D : asia1.vr9.com. 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72 .Accept: */*..Pr 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A agma: no-cache.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74 69 lla/5.0 (compati 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 ble; MSIE 5.01; 57 69 6E 32 30 30 30 29 0D 0A 0D 0A 6F 6E Win2000)....on Looks like a scan for proxy. Upon visiting that site http://asia1.vr9.com/cgi-bin/ver.cgi?file=../search.htm&port=80 I see the following: REMOTE_ADDR = my.ip.addr Looks like he/she has a script running on the other end waiting for connections and storing the IP's... Interesting. I wonder if there will be a follow up visit to me, because i did that... -Gary- Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 15:09:16 PDT