This one's interesting. Mainly just another stab in the dark looking for FrontPage servers, but with curious timestamps leading me to believe that it may be a script (albeit a really, really bad one). Notice the four flurries of requests. Anyone else seen anything like this lately? Keith [**] WEB-IIS _vti_inf access [**] 07/18-13:35:21.655635 199.232.78.34:4556 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:37920 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB6A0EE Ack: 0xBCB32110 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:22.769098 199.232.78.34:4557 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:28705 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB6A107 Ack: 0xBCB83499 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:35:27.464209 199.232.78.34:4564 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:53284 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB6A18C Ack: 0xBCCBA182 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:30.881717 199.232.78.34:4570 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:22310 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB6A1F2 Ack: 0xBCD9FA23 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:35:31.678639 199.232.78.34:4575 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:54310 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB6A21D Ack: 0xBCDE78B4 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:32.390827 199.232.78.34:4576 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:59942 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB6A226 Ack: 0xBCE20DC6 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:35:33.045227 199.232.78.34:4582 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:5159 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB6A27B Ack: 0xBCE61695 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:33.676804 199.232.78.34:4585 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:23079 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB6A2A7 Ack: 0xBCE99869 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:35:34.332280 199.232.78.34:4587 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:28199 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB6A2BA Ack: 0xBCED6EBC Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:35.002091 199.232.78.34:4589 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:34343 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB6A2C4 Ack: 0xBCF0AE93 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:35:37.263274 199.232.78.34:4602 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:5416 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xBB897E7 Ack: 0xBCFA8811 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:35:37.951606 199.232.78.34:4606 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:32040 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xBB8982F Ack: 0xBCFDFCD9 Win: 0x2238 TcpLen: 20 [**] WEB-MISC http directory traversal [**] 07/18-13:35:38.759387 199.232.78.34:4612 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:48424 IpLen:20 DgmLen:321 DF ***AP*** Seq: 0xBB898E2 Ack: 0xBD027CDF Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:22.932664 199.232.78.34:1051 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:14161 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E78D Ack: 0xD0CAD27F Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:23.955585 199.232.78.34:1052 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:18513 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E7B0 Ack: 0xD0CF5152 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:28.039828 199.232.78.34:1054 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:27217 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E7E6 Ack: 0xD0E05263 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:28.717887 199.232.78.34:1055 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:31313 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E7FF Ack: 0xD0E3AAEB Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:29.875670 199.232.78.34:1057 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:36433 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E841 Ack: 0xD0E9CE62 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:30.867027 199.232.78.34:1058 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:40785 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E85F Ack: 0xD0EE51B6 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:31.998890 199.232.78.34:1060 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:46161 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E88C Ack: 0xD0F39E18 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:32.950207 199.232.78.34:1061 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:50513 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E8A9 Ack: 0xD0F7FA63 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:34.018886 199.232.78.34:1063 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:55377 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E8B9 Ack: 0xD0FDCA6B Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:34.953679 199.232.78.34:1064 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:62801 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E8D2 Ack: 0xD1026246 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-13:57:37.338212 199.232.78.34:1067 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:15186 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xCC0E911 Ack: 0xD10D6F30 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-13:57:38.081198 199.232.78.34:1068 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:18258 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xCC0E925 Ack: 0xD11169A1 Win: 0x2238 TcpLen: 20 [**] WEB-MISC http directory traversal [**] 07/18-13:57:38.950273 199.232.78.34:1069 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:21842 IpLen:20 DgmLen:321 DF ***AP*** Seq: 0xCC0E93D Ack: 0xD1151F9E Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:22.258231 199.232.78.34:3921 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:64512 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15B87A Ack: 0xD9FDF246 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:23.057517 199.232.78.34:3922 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:2561 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15B885 Ack: 0xDA01E9C3 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:25.991360 199.232.78.34:3954 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:25346 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15BB0F Ack: 0xDA0F7B48 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:26.640348 199.232.78.34:3955 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:29186 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15BB2D Ack: 0xDA12B260 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:27.288130 199.232.78.34:3957 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:33538 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15BB82 Ack: 0xDA1642BB Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:30.567703 199.232.78.34:3963 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:47874 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15BBE1 Ack: 0xDA23BCFD Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:31.226444 199.232.78.34:3966 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:51970 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15BC25 Ack: 0xDA284531 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:31.865476 199.232.78.34:3972 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:60930 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15BC86 Ack: 0xDA2B5AD4 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:32.509550 199.232.78.34:3981 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:20483 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15BD0D Ack: 0xDA2F0D22 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:33.174300 199.232.78.34:3993 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:56067 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15BDA1 Ack: 0xDA328F43 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:07:35.719420 199.232.78.34:4012 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:40964 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD15BF06 Ack: 0xDA3DF08D Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:07:37.116489 199.232.78.34:4014 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:44804 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD15BF0C Ack: 0xDA43D902 Win: 0x2238 TcpLen: 20 [**] WEB-MISC http directory traversal [**] 07/18-14:07:37.782504 199.232.78.34:4015 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:48388 IpLen:20 DgmLen:321 DF ***AP*** Seq: 0xD17B316 Ack: 0xDA4719B6 Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:08:44.140578 199.232.78.34:4174 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:8724 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD19B1B0 Ack: 0xDB53C7A5 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:08:45.439342 199.232.78.34:4184 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:33044 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD19B293 Ack: 0xDB5F60BC Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:08:48.326814 199.232.78.34:4192 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:61204 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD19B33F Ack: 0xDB6CB8AF Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:08:48.955497 199.232.78.34:4193 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:1045 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD19B34F Ack: 0xDB705A0A Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:08:49.609472 199.232.78.34:4195 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:5653 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD19B36D Ack: 0xDB746A05 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:08:50.241856 199.232.78.34:4196 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:9749 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD19B384 Ack: 0xDB77B67E Win: 0x2238 TcpLen: 20 [**] WEB-IIS _vti_inf access [**] 07/18-14:08:50.944019 199.232.78.34:4198 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:15381 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0xD19B3A2 Ack: 0xDB7BCE32 Win: 0x2238 TcpLen: 20 [**] WEB-FRONTPAGE _vti_rpc access [**] 07/18-14:08:51.600754 199.232.78.34:4202 -> X.X.X.71:80 TCP TTL:111 TOS:0x0 ID:23829 IpLen:20 DgmLen:431 DF ***AP*** Seq: 0xD19B3E1 Ack: 0xDB7EDB74 Win: 0x2238 TcpLen: 20 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:50:25 PDT