Re: Question

From: jnf (sinat_private)
Date: Tue Sep 04 2001 - 08:49:28 PDT
Next message: Paul Gear: "Lengthy probes of port 8500"
Previous message: McCammon, Keith: "RE: Question"
In reply to: Hill, James: "Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
i didnt read your whole post, but looking through the little i did, yes that 
looks like a scanner, it looks like they were actually focused on one os, no 
you probably dont have anything much to worry about, everyone i saw was a 404 
error, if they got in, they prolly would've cleaned the logs, keep an eye out 
for anything strange, in case it wasnt just a random scan, check to make sure 
none of those files exist- but overall your probably safe and yes that was a 
scanner- look @ the time stamps, within seconds, this person left a huge 
footprint. you probably have nothing to worry about, just go check and make sure 
you have no known vulnerabilities, and make sure none of those file exist, 
prolly even want to look at wherever people with ms products look at for 
security bulletins and see if theres anything new. but this is just imho


// jnf


Quoting "Hill, James" <jhillat_private>:

> I have been getting this on the two web servers I run internally
> (Apache
> Using Jakarta).  After a long weekend I came in and started reading my
> logs,
> and noticed this on both the web servers almost identical information
> on
> them.  My question is this a tool (script) doing this and is it
> something
> that is doing mass scans?
> 
> JH
> 
> --->LOG
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /C:/temp/\../ + null) null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /usr/bin/FlagShip_c + null)
> null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /cgi-bin/bb-rep.sh + null)
> null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  +
> /Sites/Knowledge/Membership/Inspiredtut
> orial/ViewCode.asp + null) null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  +
> /WCB/databases/instructors.passwd +
> nul
> l) null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /perl/files.pl + null) null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /usr/bin/FSserial + null)
> null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  +
> /Sites/Knowledge/Membership/Inspired/Vi
> ewCode.asp + null) null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + /_vti_pvt/users.pwd + null)
> null
> 2001-09-03 11:11:07 - Ctx(  ): 404 R(  + SnapStream + null) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /usr/bin/FSserial + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..?ť../..?ť../cmd1.exe +
> null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /Sites/Knowledge/Membership/Inspired/Vi
> ewCode.asp + null) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..\..\..\..\..\autoexec.bat
> +
> null) nu
> ll
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /cgi-bin/replicator/webpage.cgi/ +
> null
> ) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /scripts/tradecli.dll + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cart.pl + null) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cartmanager.cgi +
> null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /cfdocs/exampleapp/publish/admin/addcon
> tent.cfm + null) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/websync.exe + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /cgi-bin/ezshopper3/loadpage.cgi +
> null
> ) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cvsweb.cgi + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /interscan/cgi-bin/HttpSaveCSP.dll
> + nu
> ll) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  +
> /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
> stem32/cmd.exe + null) null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/cvsweb.cgi + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /cgi-bin/bb-rep.sh + null)
> null
> 2001-09-03 11:11:08 - Ctx(  ): 404 R(  + /..?ť../..?ť../cmd.exe + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
> /interscan/cgi-bin/HttpSaveCSP.dll
> + nu
> ll) null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /4DBin/_/C:/winnt/repair/sam._
> +
> null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
> /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy
> stem32/cmd.exe + null) null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\..\..\autoexec.bat
> +
> null) nu
> ll
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-hostsvc.sh + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..?ť../..?ť../cmd.exe + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
> /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
> system32/cmd.exe + null) null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\boot.ini + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-hostsvc.sh + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /iisadmpwd/sensepost.exe +
> null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/webspirs.cgi + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp2.cgi
> +
> null) nu
> ll
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
> /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/
> system32/cmd.exe + null) null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /..\..\..\boot.ini + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/bb-histlog.sh + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/webspirs.cgi + null)
> null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp4.cgi
> +
> null) nu
> ll
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  +
> /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
> ystem32/cmd.exe + null) null
> 2001-09-03 11:11:09 - Ctx(  ): 404 R(  + /../../../boot.ini + null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-histlog.sh + null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /scripts/passwd.txt .pl +
> null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/lister + null) null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /doc/packages/ + null) null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp4.cgi
> +
> null) nu
> ll
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /iisadmpwd/sensepost.exe +
> null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-hist.sh + null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp3.cgi
> +
> null) nu
> ll
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /iisadmpwd/cmd1.exe + null)
> null
> 2001-09-03 11:11:10 - Ctx(  ): 404 R(  + /cgi-bin/bb-hist.sh + null)
> null
> 2001-09-03 11:11:11 - Ctx(  ): 404 R(  +
> /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s
> ystem32/cmd.exe + null) null
> 2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /../../../boot.ini + null)
> null
> 2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /cgi-bin/a1stats/a1disp3.cgi
> +
> null) nu
> ll
> 2001-09-03 11:11:11 - Ctx(  ): 404 R(  + /iisadmpwd/cmd1.exe + null)
> null
> 2001-09-03 11:11:11 - Ctx(  ): 404 R(  +
> /msadc/..%5c..%5c/..%5c..%5c/winnt/syst
> em32/cmd.exe + null) null
> 2001-09-03 11:11:12 - ContextManager: SocketException reading request,
> ignored -
>  java.net.SocketException: Connection reset by peer: JVM_recv in
> socket
> input st
> ream read
>         at java.net.SocketInputStream.socketRead(Native Method)
>         at java.net.SocketInputStream.read(SocketInputStream.java:86)
>         at
> java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
>         at
> java.io.BufferedInputStream.read(BufferedInputStream.java:204)
>         at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
>         at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
>         at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
>         at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
>         at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
>         at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
>         at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
>         at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
>         at java.lang.Thread.run(Thread.java:484)
> 
> 2001-09-03 11:11:13 - Ctx(  ): 404 R(  + SnapStream + null) null
> 2001-09-03 11:11:13 - Ctx(  ): 404 R(  + SnapStream + null) null
> 2001-09-03 11:11:14 - Ctx(  ): 404 R(  + /includes/global.inc + null)
> null
> 2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /global.asa .htr + null) null
> 2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /pollit/Poll_It_v2.0.cgi +
> null)
> null
> 2001-09-03 11:11:15 - Ctx(  ): 404 R(  + /iissamples/issamples/fastq.idq
> +
> null)
>  null
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cfdocs/expeval/sendmail.cfm
> +
> null) nu
> ll
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/wais + null) null
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/DCShop + null) null
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + SnapStream + null) null
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /cgi-bin/websync.exe + null)
> null
> 2001-09-03 11:11:16 - Ctx(  ): 404 R(  + /officescan/cgi/jdkRqNotify.exe
> +
> null)
>  null
> 2001-09-03 11:11:17 - Ctx(  ): 404 R(  + SnapStream + null) null
> 2001-09-03 11:11:17 - Ctx(  ): 404 R(  +
> /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
> null) null
> 2001-09-03 11:11:17 - Ctx(  ): 404 R(  + /iissamples/issamples/fastq.idq
> +
> null)
>  null
> 2001-09-03 11:11:17 - Ctx(  ): 404 R(  +
> /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +
> null) null
> 2001-09-03 11:11:17 - Ctx(  ): 404 R(  + /iissamples/issamples/query.idq
> +
> null)
>  null
> 2001-09-03 11:11:18 - Ctx(  ): 404 R(  + /iissamples/issamples/query.idq
> +
> null)
>  null
> 2001-09-03 11:11:19 - Ctx(  ): 404 R(  + /cgi-bin/wais + null) null
> 2001-09-03 11:11:19 - Ctx(  ): 404 R(  + /cgi-bin/DCShop + null) null
> 2001-09-03 11:11:20 - Ctx(  ): 404 R(  + /iisadmpwd/cmd.exe + null)
> null
> 2001-09-03 11:11:20 - Ctx(  ): 404 R(  + /iisadmpwd/cmd.exe + null)
> null
> 2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/sensepost.exe + null)
> null
> 2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/sensepost.exe + null)
> null
> 2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/cmd1.exe + null)
> null
> 2001-09-03 11:11:21 - Ctx(  ): 404 R(  + /samples/cmd1.exe + null)
> null
> 2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /cgi-bin/simplestmail.cgi +
> null)
> null
> 2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /samples/cmd.exe + null) null
> 2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /samples/cmd.exe + null) null
> 2001-09-03 11:11:22 - Ctx(  ): 404 R(  + /cgi-bin/sensepost.exe + null)
> null
> 2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/sensepost.exe + null)
> null
> 2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd1.exe + null)
> null
> 2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd1.exe + null)
> null
> 2001-09-03 11:11:23 - Ctx(  ): 404 R(  + /cgi-bin/cmd.exe + null) null
> 2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /cgi-bin/cmd.exe + null) null
> 2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /vti_cnf/sensepost.exe + null)
> null
> 2001-09-03 11:11:24 - Ctx(  ): 404 R(  + /vti_cnf/sensepost.exe + null)
> null
> 2001-09-03 11:11:25 - Ctx(  ): 404 R(  + /vti_cnf/cmd1.exe + null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /iisadmpwd/ + null) null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /cgi-bin/ustorekeeper.pl +
> null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
> /msadc/..%5c..%5c/..%5c..%5c/winnt/syst
> em32/cmd.exe + null) null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /.nsf/../winnt/win.ini + null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
> /iissamples/exair/howitworks/codebrws.a
> sp + null) null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/glib/ + null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /cgi-bin/ustorekeeper.pl +
> null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
> /scripts/..%5c..%5cwinnt/system32/cmd.e
> xe + null) null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/glib/ + null)
> null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  +
> /scripts/..%5c..%5cwinnt/system32/cmd.e
> xe + null) null
> 2001-09-03 11:11:27 - Ctx(  ): 404 R(  + /usr/bin/xvcad/var_rm + null)
> null
> 2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/var_rm + null)
> null
> 2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /vti_cnf/cmd1.exe + null)
> null
> 2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/igesin + null)
> null
> 2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /vti_cnf/cmd.exe + null) null
> 2001-09-03 11:11:28 - Ctx(  ): 404 R(  + /usr/bin/xvcad/igesin + null)
> null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_cnf/cmd.exe + null) null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /usr/bin/xvcad/dxfin + null)
> null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/sensepost.exe + null)
> null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /usr/bin/xvcad/dxfin + null)
> null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/sensepost.exe + null)
> null
> 2001-09-03 11:11:29 - Ctx(  ): 404 R(  + /vti_bin/cmd1.exe + null)
> null
> 2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd1.exe + null)
> null
> 2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd.exe + null) null
> 2001-09-03 11:11:30 - Ctx(  ): 404 R(  + /vti_bin/cmd.exe + null) null
> 2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/sensepost.exe + null)
> null
> 2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/sensepost.exe + null)
> null
> 2001-09-03 11:11:31 - Ctx(  ): 404 R(  + /msadc/cmd1.exe + null) null
> 2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd1.exe + null) null
> 2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd.exe + null) null
> 2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /msadc/cmd.exe + null) null
> 2001-09-03 11:11:32 - Ctx(  ): 404 R(  + /scripts/sensepost.exe + null)
> null
> 2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/sensepost.exe + null)
> null
> 2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/cmd1.exe + null)
> null
> 2001-09-03 11:11:42 - Ctx(  ): 404 R(  + /scripts/cmd1.exe + null)
> null
> 2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /scripts/cmd.exe + null) null
> 2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /scripts/cmd.exe + null) null
> 2001-09-03 11:11:43 - Ctx(  ): 404 R(  + /sensepost.exe + null) null
> 2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /sensepost.exe + null) null
> 2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd1.exe + null) null
> 2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd1.exe + null) null
> 2001-09-03 11:11:44 - Ctx(  ): 404 R(  + /cmd.exe + null) null
> 2001-09-03 11:11:45 - Ctx(  ): 404 R(  + /cmd.exe + null) null
> 
> End <--
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
> 
> 



// jnf

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Paul Gear: "Lengthy probes of port 8500"
Previous message: McCammon, Keith: "RE: Question"
In reply to: Hill, James: "Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 09:12:03 PDT