IIS/FrontPage Script?

From: McCammon, Keith (Keith.McCammonat_private)
Date: Wed Jul 18 2001 - 14:17:41 PDT

  • Next message: Bryan Allerdice: "RE: Packets destined for ports 6970 and 6972"

    This one's interesting.  Mainly just another stab in the dark looking for
    FrontPage servers, but with curious timestamps leading me to believe that it
    may be a script (albeit a really, really bad one).  Notice the four flurries
    of requests.  Anyone else seen anything like this lately?
    
    Keith
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:21.655635 199.232.78.34:4556 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:37920 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB6A0EE  Ack: 0xBCB32110  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:22.769098 199.232.78.34:4557 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:28705 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB6A107  Ack: 0xBCB83499  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:27.464209 199.232.78.34:4564 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:53284 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB6A18C  Ack: 0xBCCBA182  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:30.881717 199.232.78.34:4570 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:22310 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB6A1F2  Ack: 0xBCD9FA23  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:31.678639 199.232.78.34:4575 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:54310 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB6A21D  Ack: 0xBCDE78B4  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:32.390827 199.232.78.34:4576 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:59942 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB6A226  Ack: 0xBCE20DC6  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:33.045227 199.232.78.34:4582 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:5159 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB6A27B  Ack: 0xBCE61695  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:33.676804 199.232.78.34:4585 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:23079 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB6A2A7  Ack: 0xBCE99869  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:34.332280 199.232.78.34:4587 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:28199 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB6A2BA  Ack: 0xBCED6EBC  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:35.002091 199.232.78.34:4589 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:34343 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB6A2C4  Ack: 0xBCF0AE93  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:35:37.263274 199.232.78.34:4602 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:5416 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xBB897E7  Ack: 0xBCFA8811  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:35:37.951606 199.232.78.34:4606 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:32040 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xBB8982F  Ack: 0xBCFDFCD9  Win: 0x2238  TcpLen: 20
    
    [**] WEB-MISC http directory traversal [**]
    07/18-13:35:38.759387 199.232.78.34:4612 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:48424 IpLen:20 DgmLen:321 DF
    ***AP*** Seq: 0xBB898E2  Ack: 0xBD027CDF  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:22.932664 199.232.78.34:1051 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:14161 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E78D  Ack: 0xD0CAD27F  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:23.955585 199.232.78.34:1052 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:18513 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E7B0  Ack: 0xD0CF5152  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:28.039828 199.232.78.34:1054 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:27217 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E7E6  Ack: 0xD0E05263  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:28.717887 199.232.78.34:1055 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:31313 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E7FF  Ack: 0xD0E3AAEB  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:29.875670 199.232.78.34:1057 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:36433 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E841  Ack: 0xD0E9CE62  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:30.867027 199.232.78.34:1058 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:40785 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E85F  Ack: 0xD0EE51B6  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:31.998890 199.232.78.34:1060 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:46161 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E88C  Ack: 0xD0F39E18  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:32.950207 199.232.78.34:1061 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:50513 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E8A9  Ack: 0xD0F7FA63  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:34.018886 199.232.78.34:1063 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:55377 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E8B9  Ack: 0xD0FDCA6B  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:34.953679 199.232.78.34:1064 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:62801 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E8D2  Ack: 0xD1026246  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-13:57:37.338212 199.232.78.34:1067 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:15186 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xCC0E911  Ack: 0xD10D6F30  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-13:57:38.081198 199.232.78.34:1068 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:18258 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xCC0E925  Ack: 0xD11169A1  Win: 0x2238  TcpLen: 20
    
    [**] WEB-MISC http directory traversal [**]
    07/18-13:57:38.950273 199.232.78.34:1069 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:21842 IpLen:20 DgmLen:321 DF
    ***AP*** Seq: 0xCC0E93D  Ack: 0xD1151F9E  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:22.258231 199.232.78.34:3921 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:64512 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15B87A  Ack: 0xD9FDF246  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:23.057517 199.232.78.34:3922 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:2561 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15B885  Ack: 0xDA01E9C3  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:25.991360 199.232.78.34:3954 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:25346 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15BB0F  Ack: 0xDA0F7B48  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:26.640348 199.232.78.34:3955 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:29186 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15BB2D  Ack: 0xDA12B260  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:27.288130 199.232.78.34:3957 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:33538 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15BB82  Ack: 0xDA1642BB  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:30.567703 199.232.78.34:3963 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:47874 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15BBE1  Ack: 0xDA23BCFD  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:31.226444 199.232.78.34:3966 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:51970 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15BC25  Ack: 0xDA284531  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:31.865476 199.232.78.34:3972 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:60930 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15BC86  Ack: 0xDA2B5AD4  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:32.509550 199.232.78.34:3981 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:20483 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15BD0D  Ack: 0xDA2F0D22  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:33.174300 199.232.78.34:3993 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:56067 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15BDA1  Ack: 0xDA328F43  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:07:35.719420 199.232.78.34:4012 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:40964 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD15BF06  Ack: 0xDA3DF08D  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:07:37.116489 199.232.78.34:4014 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:44804 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD15BF0C  Ack: 0xDA43D902  Win: 0x2238  TcpLen: 20
    
    [**] WEB-MISC http directory traversal [**]
    07/18-14:07:37.782504 199.232.78.34:4015 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:48388 IpLen:20 DgmLen:321 DF
    ***AP*** Seq: 0xD17B316  Ack: 0xDA4719B6  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:08:44.140578 199.232.78.34:4174 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:8724 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD19B1B0  Ack: 0xDB53C7A5  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:08:45.439342 199.232.78.34:4184 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:33044 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD19B293  Ack: 0xDB5F60BC  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:08:48.326814 199.232.78.34:4192 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:61204 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD19B33F  Ack: 0xDB6CB8AF  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:08:48.955497 199.232.78.34:4193 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:1045 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD19B34F  Ack: 0xDB705A0A  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:08:49.609472 199.232.78.34:4195 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:5653 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD19B36D  Ack: 0xDB746A05  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:08:50.241856 199.232.78.34:4196 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:9749 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD19B384  Ack: 0xDB77B67E  Win: 0x2238  TcpLen: 20
    
    [**] WEB-IIS _vti_inf access [**]
    07/18-14:08:50.944019 199.232.78.34:4198 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:15381 IpLen:20 DgmLen:306 DF
    ***AP*** Seq: 0xD19B3A2  Ack: 0xDB7BCE32  Win: 0x2238  TcpLen: 20
    
    [**] WEB-FRONTPAGE _vti_rpc access [**]
    07/18-14:08:51.600754 199.232.78.34:4202 -> X.X.X.71:80
    TCP TTL:111 TOS:0x0 ID:23829 IpLen:20 DgmLen:431 DF
    ***AP*** Seq: 0xD19B3E1  Ack: 0xDB7EDB74  Win: 0x2238  TcpLen: 20
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:50:25 PDT