I guess it was a portscan with some funky per port options messages:Nov 30 16:18:36 evildomain snort: MISC-WinGate-8080-Attempt: 207.33.111.32:2464 -> 62.30.33.207:8080 messages:Nov 30 16:18:36 evildomain snort: spp_portscan: PORTSCAN DETECTED from 207.33.111.32 (THRESHOLD 4 connections exceeded in 8 seconds) messages:Nov 30 16:18:36 evildomain snort: MISC-WinGate-1080-Attempt: 207.33.111.32:2465 -> 62.30.33.207:1080 messages:Nov 30 16:18:36 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2463 -> 62.30.33.207:80 messages:Nov 30 16:18:36 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2463 -> 62.30.33.207:80 messages:Nov 30 16:18:37 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2467 -> 62.30.33.207:80 messages:Nov 30 16:18:37 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2467 -> 62.30.33.207:80 messages:Nov 30 16:18:37 evildomain snort: WEB-MISC-.htaccess: 207.33.111.32:2467 -> 62.30.33.207:80 messages:Nov 30 16:18:38 evildomain proftpd[24397]: connect from 207.33.111.32 (207.33.111.32) messages:Nov 30 16:18:38 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2468 -> 62.30.33.207:80 messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2468 -> 62.30.33.207:80 messages:Nov 30 16:18:38 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2470 -> 62.30.33.207:80 messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2470 -> 62.30.33.207:80 messages:Nov 30 16:18:38 evildomain snort: SCAN - Whisker Stealth- WS_FTP.INI access attempt : 207.33.111.32:2470 -> 62.30.33.207:80 messages:Nov 30 16:18:40 evildomain snort: spp_portscan: portscan status from 207.33.111.32: 5 connections across 1 hosts: TCP(5), UDP(0) messages:Nov 30 16:18:42 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2472 -> 62.30.33.207:80 messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2472 -> 62.30.33.207:80 messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth- WS_FTP.INI access attempt : 207.33.111.32:2472 -> 62.30.33.207:800183 F=0x4000 T=53 SYN (#1802) messages:Nov 30 16:18:42 evildomain proftpd[24397]: evildomain.internallan.org (207.33.111.32[207.33.111.32]) - FTP session opened. messages:Nov 30 16:18:42 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2477 -> 62.30.33.207:80 messages:Nov 30 16:18:42 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2477 -> 62.30.33.207:80 messages:Nov 30 16:18:43 evildomain proftpd[24397]: evildomain.internallan.org (207.33.111.32[207.33.111.32]) - FTP session closed. messages:Nov 30 16:18:44 evildomain snort: spp_portscan: portscan status from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0) messages:Nov 30 16:18:50 evildomain snort: spp_portscan: portscan status from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0) messages:Nov 30 16:18:52 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2478 -> 62.30.33.207:80 messages:Nov 30 16:18:52 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2478 -> 62.30.33.207:80 messages:Nov 30 16:18:53 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2500 -> 62.30.33.207:80 messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2500 -> 62.30.33.207:80 messages:Nov 30 16:18:53 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2504 -> 62.30.33.207:80 messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2504 -> 62.30.33.207:80 messages:Nov 30 16:18:53 evildomain snort: SCAN - Whisker Stealth- mlog access attempt: 207.33.111.32:2504 -> 62.30.33.207:80 messages:Nov 30 16:18:54 evildomain snort: spp_portscan: portscan status from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0) messages:Nov 30 16:18:57 evildomain snort: spp_http_decode: CGI Null Byte attack detected: 207.33.111.32:2505 -> 62.30.33.207:80 messages:Nov 30 16:18:57 evildomain snort: SCAN - Whisker Stealth Mode 4- HEAD: 207.33.111.32:2505 -> 62.30.33.207:80 messages:Nov 30 16:18:57 evildomain snort: SCAN - Whisker Stealth- mylog access attempt: 207.33.111.32:2505 -> 62.30.33.207:80 messages:Nov 30 16:18:59 evildomain snort: spp_portscan: portscan status from 207.33.111.32: 1 connections across 1 hosts: TCP(1), UDP(0) messages:Nov 30 16:19:03 evildomain snort: spp_portscan: End of portscan from 207.33.111.32: TOTAL time(29s) hosts(1) TCP(9) UDP(0) -----Original Message----- From: Michael Ward Sent: Friday, November 30, 2001 4:35 PM To: 'gkingat_private' Subject: RE: Strange Web requests. Almost looks like a reconaissance scan. It seems to be using the HEAD command instead of GET which usually indicates that the client is scanning for open vulnerabilities... but, it seems like they're incorporating some kind of buffer overflow into it. Do you have any other entries in any of your logs from this IP? -Mike -----Original Message----- From: Geoffrey King [mailto:gkingat_private] Sent: Friday, November 30, 2001 11:01 AM To: incidentsat_private Subject: Strange Web requests. I'm getting some weird web requests coming in on my Home cablemodem setup. [Fri Nov 30 16:18:52 2001] [error] [client 207.33.111.32] Invalid method in request HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20gtkcaqcekiihoj/../../index.html%3fnb jkky ckfxc=/../ieielkyazjrtlwamehemlerzayxgxvshosamhlrfjqkjvbqrxjplsmluohplap ryys tkumldtrqimmjmqogynifwwlnghjwkiirvfjkdvlvyuxjieadymlsumvriicklndjvrekdlr bbma sqkqfrsigboccwpmrozdodezsewfwuesvjobkbhfpbivuydpjsjdylaelsdlrvpdwwjfjrzc hnbn orjohiaxkosvwvlhsivmookdpoxzdylpcvwhktyjlgbvnxxxpucgtatvffnbxzevjyowjmhw isjo bivqumhqunmmwsusmzgwumatzyfqcgxcnpnnmtllsqpsfpyflwhifgtlltnhjbfixauobptb snnh hhvxlfxtpnejibvzpgbhcabumjhgyrxmksemempmekharvoeqcnokdfnykfebmvlfepynnxl ttls qcwpdhrmuvrxqxfdyfuplikvotraksbaxmdgriuthcnxvsclrgwitqpramguvjgkbzjwtklk wflw pfzbuamezliqnahffxzwqumvkhinpyorhgfnqwjqrbrptralicwqttbsyalzukwnirxlbebe eayw tvfxgbyampcxrkzqyvyvfbmcszbivnmpobahjrjrvhbvkotleeqavpfiprztpcatbjkqvglj lqyn nxeqfqbphupugppdfazicmmpdjnkriykseezfxgrqeyffdilrertefbstylsafhshymcmwop loyb uetdfqxzqpjfdvjfemqamllabtcbuwivxnhqfaxxmgkltczflexpuwczvpfwrcaeebivowkx kqnl zogwaispoofhkohrdepqmfyxbiibubgjercdmbwcpsteevfdgyjfjmgmimwiitljjxktildi qzyi cojlprcktfhdctppmmndsrzxytlgrgsjxesmxxopvegpufnlnpbzfzsiuutaqbcmjajubsyf kwjj khxxbmgdvaxfpnzzddmsievmpqwhpmlbzwrbzhebsazairqhzdmsuhgfznlhmaalgqujncob pfkb sruugcjpfkblvpmlkbknxpnjqajkwuxtsxpntbzyzuefdktlaunmflgknsujdxwuomlylgve fdxp kdjjofizqooueinjmjjkpzwwnnosifminfffwuakttyvkeallovlybecfjrnoerzybqdubqp heia ltcgwpqcsnqqkbbfssrceidgkkktkaxcuulqyzbqmuslglcjvyhacjtgnhgjiyjhitpsipea gibm pddtfunvygerjsmfcyirnxghfsiexikoeljymetumaqvrzompigdkpbsuyjpiqdytgczjswh yqmp sgwtbxndmjmphaykxwdlprvtonihekpyxrobcbmbyccgjdpitrnjxvysiozpkafmtsnpmerh oifl xrpprrqcozngamqgirwr/.././%57%57%57%54%48%52%45%41%44%53/./ HTTP/1.0 [Fri Nov 30 16:18:53 2001] [error] [client 207.33.111.32] Invalid method in request HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20fbdfhahodcqrxrdx/../../index.html%3f yfbw kypspvxcjaesb=/../zyzxzkvdcjvitalrnfnvmknpdgmvugvvcehhxstixtcgjpictmqwch jtre jgtjbgzqgabwknksanesgsgvbzchknxbkejcvktxunxkaghsktvgswhzpwgaprlhdbinbeku rawe zutzkimuyxlqykbdnqiduyuviguqhxvzbwnpdgykmhhthsufdkddxdzrhkoskosjnlmlbjjs gvlh yrvymbdmzxmwnqhmlqiiacqkcgvmuwkxpawkuedzcexfsgjwajdbuxwelmrolhumlqrmuihw fdui bcmyxtunsdaxrzehyccnbyuptgcohayudbxociefbmhathmigiilkfpgkxrktetvvztjvnqo roqo qnilawukypqitvlqknkizkdrgmjrxwulynjxbplaevlnhpxxeqbgysqcezvkxuvefrxhjqnf ocvy xycwfpnfwfeeknbyylisvugkwfiwjrypqdrcscnwexunftvounkqwnpkqlowofdgytnocugu lxdo vhwzsurtcuicmjzgmismskycbxflvrlmedzpwapnytucewbdtjxwbsuhxteajwzrtkttzphf jolz taryvpowbgrohxsultfvrmgweoyswlspnpngddpckkbfhtiowdglhpvdvjezyrpdjzxsuflf zqmx pkgffzttwdqbtfautwhniplihtsurqvkbmrcszmvcqvurnqimroemitrbkcjhmabbnkgribs uhzv pbmciczogfmhglypzfwnhmdxijoudqqocrfopthszjqjwjimczqddugshntcwoajdongajoz ywtb lzvwoakxhlmdgqibblgfdegaknsvywodsuiqjepugdoozauvtvcpfhnsvsxkoxswnvmyojpr tybu vhusrtmrwxvngwhkmtpejlwhydtwqrtpubgkoztfrrfftnkeyqvqxgxxhjfqkyebhfopmpmg eizz umqyjdqrzfomqocafmnjazmqdnrfrqzjrockcnliybfkhurqezktrzueyrzebsyabfrumumj nvai cfyrqrekytmwdxvjqgjgmjntdfmplskqoyuarngjunpdfwehbmigaavtnfndxponhlbwngmw ubab budlirwyuirsgxycgmwmezvwdwbgvdcjblvnxaubupfiwvzoanvequqpxmehkiasdkrvstvw zdbm voyilcidosccqzvvljtijdzdednwmbkfgbrmbhauzkkygnpcfccapsdkdjvkzqigvwfhazsl xyed oxnjizzdpywlpoudrjbsxhnykirrlagnivhdirexhpjclsuxxfunliydfpmirxhmdfvcfizb rgmi owxagwopwokxiyhjqnkkgjoepazlugufcwznmxiugszvvtsnijryqonuysksckagodfuypgf hhxk smaykgvcurxyfkiznoulquvhgwfyijrczxfnswzytvqdiepzwoeekxewzvxxyeard/.././% 50%4 8%50/./ HTTP/1.0 [Fri Nov 30 16:18:53 2001] [error] [client 207.33.111.32] Invalid method in request HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20hbjeqftxsuodwd/../../index.html%3fqo atfp kbwzljzpsr=/../tccpzrngfnaopxuhkjqgecegxltihxrvqqgivxjfanillatnmkwzssrui mupl jbfjmfglgguflyquftjtlvrgrvpeezwcrsvyrnwusiejvvzxbawzzafisnjvupcjmqcgnnzc lsid wuvegyspdynrmgwjaabrvycqsvflfaqwqvbbwhwheayikpeityqhhbwkrebdprrfunpkassa zjks bjbljccayukcunsltcsfcisvczdmllbhakvdhjpwvwcyhcwtrrfympomnyqhgrwxfrmdfgwz urqy etwhonzqhhkutwtsfbnkommwwnrjnqdydsrhqkfpppkgarcmbgreqhttsqwtamcydzyikwll ggmj ymjdwmejkqgnokvwqzikzyqhtzasenmzuwrermkdmoqwjwukvyemykcwggmloirclztortqi inta jvjsydfoilkbirsdufhtjhtbnwhndwmrcuxdoqftehkyuarnievievwmppswzikybdngriow vpzw nqoqyxmtjjyrputlwdjzhtnysfyhdmvfxfpgobsrdszabqmvwdckrtasqydfoljozytxoeyr lmmm usekbnvkuoqwpaajyseilchllqpesopqsaaaltaqzqpppzqcucvolxojfzptqghfzelnfbaf sjof zivwwbxvsxporytpnpicsoqevafbtlphveckdzumcxqybdkeckdldrjavbimfzhbemdlriao mspk xdcfztfcbkwhspqfzlohwqmvajljjmertfjhgmphbdsnuzkqdpxjhcumsadomgkhvccbclur gesq qjjffgomwssmmfsjlyoeigognydawhawstmwenyxoeyelskjbiaxfmibjhjvxfqgifabphqp rrfz bhucyzcrahbhyjifdbdzkgfizbviurmsczmbfoxbuyqxglqxbvtlmjcuvssefygjupodmsmv kjfa peronpmpnvypgsqkcysqzrbissmguficzjtiukhuzphkthqpvdxlaechpcafgvnpxdxpdpik sdjm nsvbvcmdveejitbhovacgtjdvswrrclnpvgbfgqjvmlyovtkihjgoujatzxrnomtlstsgjpd dzlm trjvawvfvwvvhdkjkjboyoedatwrcfqqmzpkvnymnxubgswmmmmrfhfnqoupgmqwiyepifae xrra xxedtqvypeoxbuxikduwcmfottmanahslgtfuikndbkswubebhxaihtcsuddpcapafdrxrre mxwj wppkzmhmtmlwzouaqpbxyhaizwzkoxptaejbolihyabwvtnsssdwryyknanjlxrtviwvobon fews xudnndzdnilfqwsguaguexoulkoxeurjxampbxfsecqoxhbsruhlkqhsidlchxrctp/.././ %4d% 4c%4f%47%2e%50%48%54%4d%4c HTTP/1.0 It doesn't look like codered/nimda so what could it be? and whats it trying to do? ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Dec 01 2001 - 13:55:19 PST