Re: Attempted unicode scans. on network

From: gattacaat_private
Date: Thu Jun 28 2001 - 21:58:42 PDT

Next message: HyunWoo Lee: "Re: Printer exploit?"

Previous message: W Shawn Falconbury: "RE: ICMP Help"
Maybe in reply to: Jason Robertson: "Attempted unicode scans. on network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason,

I've seen this address (202.96.119.134 CHINANET Zhejiang province network) 
and many like it.The machines on my WAN get swept 100's of times per day. 
Not too long ago someone on this list was good enough to break out the address 
blocks for my ACL's. I apologize for not giving that person credit as their 
name escapes me at the moment. If you are interested I can send this to 
you if it would help.

cheers,
gattaca

----------------------
liquidmatrix.Org
----------------------

<orig>
Okay though, you have probably seen this 200 or 300 times over.  Though 
I 
just wanted to add this for anyone who is keeping a database of incidents.

On Jun 26, 2001 we received the following vulnerability scan, on our servers,
 
which lasted approximately 22 minutes, and attempted to connect to every 
server we have.

Though I would like to know if anyone else was hit by this person?

Jason

TRACE

[**] WEB-MISC http directory traversal [**]
Jun 26,01 02:54:48am	202.96.119.134:38331 -> x.x.x.x:80
TTL: 234	TOS: 0x0	ID:60075
***AP*** Seq: 1161185518 Ack: 1704311082 Win: 8760

474554202F736372697074732F2E2E25632E2E2F	GET./scripts/..%c../
77696E6E742F73797374656D33322F636D642E65	winnt/system32/cmd.e
78653F2F632B64697220485454502F312E300D0A	xe?/c+dir.HTTP/1.0..
0D0A                                    	....................

[snip]

[**] WEB-FRONTPAGE fourdots request [**]
Jun 26,01 02:58:08am	202.96.119.134:54761 -> x.x.x.x:80
TTL: 234	TOS: 0x0	ID:44929
***AP*** Seq: 794224914 Ack: 2261806000 Win: 8760

474554202F6D736164632F2E2E2565302E2E2F2E	GET./msadc/..%e0../.
2E662E2E2E2E2F2E2E3025382E2E2F77696E6E74	.f..../..0%8../winnt
2F73797374656D33322F636D642E6578653F2F63	/system32/cmd.exe?/c
2B64697220485454502F312E300D0A0D0A      	+dir.HTTP/1.0.......

[snip]



---
Jason Robertson                
Network Analyst            
jasonat_private    
http://www.astroadvice.com      
</orig>
Free, encrypted, secure Web-based email at www.hushmail.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: HyunWoo Lee: "Re: Printer exploit?"
Previous message: W Shawn Falconbury: "RE: ICMP Help"
Maybe in reply to: Jason Robertson: "Attempted unicode scans. on network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:32:43 PDT