IIS/FrontPage Script?

From: McCammon, Keith (Keith.McCammonat_private)
Date: Wed Jul 18 2001 - 14:17:41 PDT
Next message: Bryan Allerdice: "RE: Packets destined for ports 6970 and 6972"
Previous message: Chip McClure: "Re: Http scanning for cgi based mail-relays."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This one's interesting.  Mainly just another stab in the dark looking for
FrontPage servers, but with curious timestamps leading me to believe that it
may be a script (albeit a really, really bad one).  Notice the four flurries
of requests.  Anyone else seen anything like this lately?

Keith

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:21.655635 199.232.78.34:4556 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:37920 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB6A0EE  Ack: 0xBCB32110  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:22.769098 199.232.78.34:4557 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:28705 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB6A107  Ack: 0xBCB83499  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:27.464209 199.232.78.34:4564 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:53284 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB6A18C  Ack: 0xBCCBA182  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:30.881717 199.232.78.34:4570 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:22310 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB6A1F2  Ack: 0xBCD9FA23  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:31.678639 199.232.78.34:4575 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:54310 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB6A21D  Ack: 0xBCDE78B4  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:32.390827 199.232.78.34:4576 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:59942 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB6A226  Ack: 0xBCE20DC6  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:33.045227 199.232.78.34:4582 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:5159 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB6A27B  Ack: 0xBCE61695  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:33.676804 199.232.78.34:4585 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:23079 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB6A2A7  Ack: 0xBCE99869  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:34.332280 199.232.78.34:4587 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:28199 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB6A2BA  Ack: 0xBCED6EBC  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:35.002091 199.232.78.34:4589 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:34343 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB6A2C4  Ack: 0xBCF0AE93  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:35:37.263274 199.232.78.34:4602 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:5416 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xBB897E7  Ack: 0xBCFA8811  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:35:37.951606 199.232.78.34:4606 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:32040 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xBB8982F  Ack: 0xBCFDFCD9  Win: 0x2238  TcpLen: 20

[**] WEB-MISC http directory traversal [**]
07/18-13:35:38.759387 199.232.78.34:4612 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:48424 IpLen:20 DgmLen:321 DF
***AP*** Seq: 0xBB898E2  Ack: 0xBD027CDF  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:22.932664 199.232.78.34:1051 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:14161 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E78D  Ack: 0xD0CAD27F  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:23.955585 199.232.78.34:1052 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:18513 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E7B0  Ack: 0xD0CF5152  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:28.039828 199.232.78.34:1054 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:27217 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E7E6  Ack: 0xD0E05263  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:28.717887 199.232.78.34:1055 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:31313 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E7FF  Ack: 0xD0E3AAEB  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:29.875670 199.232.78.34:1057 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:36433 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E841  Ack: 0xD0E9CE62  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:30.867027 199.232.78.34:1058 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:40785 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E85F  Ack: 0xD0EE51B6  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:31.998890 199.232.78.34:1060 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:46161 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E88C  Ack: 0xD0F39E18  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:32.950207 199.232.78.34:1061 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:50513 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E8A9  Ack: 0xD0F7FA63  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:34.018886 199.232.78.34:1063 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:55377 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E8B9  Ack: 0xD0FDCA6B  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:34.953679 199.232.78.34:1064 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:62801 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E8D2  Ack: 0xD1026246  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-13:57:37.338212 199.232.78.34:1067 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:15186 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xCC0E911  Ack: 0xD10D6F30  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-13:57:38.081198 199.232.78.34:1068 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:18258 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xCC0E925  Ack: 0xD11169A1  Win: 0x2238  TcpLen: 20

[**] WEB-MISC http directory traversal [**]
07/18-13:57:38.950273 199.232.78.34:1069 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:21842 IpLen:20 DgmLen:321 DF
***AP*** Seq: 0xCC0E93D  Ack: 0xD1151F9E  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:22.258231 199.232.78.34:3921 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:64512 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15B87A  Ack: 0xD9FDF246  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:23.057517 199.232.78.34:3922 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:2561 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15B885  Ack: 0xDA01E9C3  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:25.991360 199.232.78.34:3954 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:25346 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15BB0F  Ack: 0xDA0F7B48  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:26.640348 199.232.78.34:3955 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:29186 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15BB2D  Ack: 0xDA12B260  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:27.288130 199.232.78.34:3957 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:33538 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15BB82  Ack: 0xDA1642BB  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:30.567703 199.232.78.34:3963 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:47874 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15BBE1  Ack: 0xDA23BCFD  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:31.226444 199.232.78.34:3966 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:51970 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15BC25  Ack: 0xDA284531  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:31.865476 199.232.78.34:3972 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:60930 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15BC86  Ack: 0xDA2B5AD4  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:32.509550 199.232.78.34:3981 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:20483 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15BD0D  Ack: 0xDA2F0D22  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:33.174300 199.232.78.34:3993 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:56067 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15BDA1  Ack: 0xDA328F43  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:07:35.719420 199.232.78.34:4012 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:40964 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD15BF06  Ack: 0xDA3DF08D  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:07:37.116489 199.232.78.34:4014 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:44804 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD15BF0C  Ack: 0xDA43D902  Win: 0x2238  TcpLen: 20

[**] WEB-MISC http directory traversal [**]
07/18-14:07:37.782504 199.232.78.34:4015 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:48388 IpLen:20 DgmLen:321 DF
***AP*** Seq: 0xD17B316  Ack: 0xDA4719B6  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:08:44.140578 199.232.78.34:4174 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:8724 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD19B1B0  Ack: 0xDB53C7A5  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:08:45.439342 199.232.78.34:4184 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:33044 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD19B293  Ack: 0xDB5F60BC  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:08:48.326814 199.232.78.34:4192 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:61204 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD19B33F  Ack: 0xDB6CB8AF  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:08:48.955497 199.232.78.34:4193 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:1045 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD19B34F  Ack: 0xDB705A0A  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:08:49.609472 199.232.78.34:4195 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:5653 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD19B36D  Ack: 0xDB746A05  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:08:50.241856 199.232.78.34:4196 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:9749 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD19B384  Ack: 0xDB77B67E  Win: 0x2238  TcpLen: 20

[**] WEB-IIS _vti_inf access [**]
07/18-14:08:50.944019 199.232.78.34:4198 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:15381 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0xD19B3A2  Ack: 0xDB7BCE32  Win: 0x2238  TcpLen: 20

[**] WEB-FRONTPAGE _vti_rpc access [**]
07/18-14:08:51.600754 199.232.78.34:4202 -> X.X.X.71:80
TCP TTL:111 TOS:0x0 ID:23829 IpLen:20 DgmLen:431 DF
***AP*** Seq: 0xD19B3E1  Ack: 0xDB7EDB74  Win: 0x2238  TcpLen: 20


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Next message: Bryan Allerdice: "RE: Packets destined for ports 6970 and 6972"
Previous message: Chip McClure: "Re: Http scanning for cgi based mail-relays."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:50:25 PDT