The logical assumption would be that they wouldn't visit you again in the near future. If I were them I would do the scan, and log those who look to find out information on the scan and how quickly. If they looked I would know that they were reviewing the logs and following up. More importantly, if I was hit shortly after the scan I would know the target actively checks their logs. If I wanted to reduce the likelihood of getting caught or investigated I'd move to someplace that wasn't paying attention. Just my .02 Ed Spencer MCSE/MCT/CNA/A+/Network+ Security Analyst - IS Security Renaissance Worldwide, Inc. - Walt Disney World This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please immediately notify us by calling (407) 566-5195. The ideas, opinions, and information expressed within the above email are the express sole opinion of the author and are not the opinion of the Walt Disney World Corporation. Thank you. -----Original Message----- From: Portnoy, Gary [mailto:gportnoyat_private] Sent: Tuesday, June 05, 2001 3:48 PM To: 'intrusionat_private'; 'incidentsat_private' Subject: Proxy scan Greetings, I just got scanned from 211.100.7.29 on port 80. Snort picked up the scan and alerted me. Check out the request: 54 20 68 74 74 70 3A 2F 2F 61 73 69 61 31 2E 76 T http://asia1.v 72 39 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F 76 r9.com/cgi-bin/v 65 72 2E 63 67 69 3F 66 69 6C 65 3D 2E 2E 2F 73 er.cgi?file=../s 65 61 72 63 68 2E 68 74 6D 26 70 6F 72 74 3D 38 earch.htm&port=8 30 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 0 HTTP/1.1..Host 3A 20 61 73 69 61 31 2E 76 72 39 2E 63 6F 6D 0D : asia1.vr9.com. 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72 .Accept: */*..Pr 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A agma: no-cache.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74 69 lla/5.0 (compati 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 ble; MSIE 5.01; 57 69 6E 32 30 30 30 29 0D 0A 0D 0A 6F 6E Win2000)....on Looks like a scan for proxy. Upon visiting that site http://asia1.vr9.com/cgi-bin/ver.cgi?file=../search.htm&port=80 I see the following: REMOTE_ADDR = my.ip.addr Looks like he/she has a script running on the other end waiting for connections and storing the IP's... Interesting. I wonder if there will be a follow up visit to me, because i did that... -Gary- Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 11:44:33 PDT