SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (6.32 hits, 5 required) SPAM: Hit! (1.94 points) From: ends in numbers SPAM: Hit! (2.58 points) BODY: Uses a username in a URL SPAM: Hit! (1.8 points) No MX records for the From: domain SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- At first glance this log seems to be a directed attack to find web vulnerabilities in you systems. example CIS , typhon .. these scanning tool use same pattern. check sanning pattern and compare attack log! CIS webscan - www.@stake.com/research/tools/webscan.exe">http://www.@stake.com/research/tools/webscan.exe Regrads, K.Tommy ----- Original Message ----- From: "Douglas P. Brown" <dugbrownat_private> To: <incidentsat_private>; <unisogat_private> Cc: "ITS Security" <securityat_private> Sent: Saturday, March 02, 2002 4:44 AM Subject: Large Attack > > FYI - Starting last night and continuing this morning we've seen at > least 14 hosts from at least 7 different foreing subnets banging pretty > heavy on our subnets. Below is a smart from the IDS logs for one of the > bad hosts. The result has been that several NT and 2000 domains have > had accounts locked out. > > 148 different signatures are present for x.x.x.x as a source > > 1 instances of WEB-IIS JET VBA access > 1 instances of WEB-IIS getdrvrs access > 1 instances of WEB-COLDFUSION administrator access > 1 instances of WEB-IIS admin.dll access > 1 instances of WEB-MISC .wwwacl access > 1 instances of WEB-IIS uploadn.asp access > 1 instances of WEB-CGI args.bat access > 1 instances of WEB-MISC Domino catalog.ns access > 1 instances of WEB-COLDFUSION exampleapp access > 1 instances of WEB-IIS bdir.ht access > 1 instances of WEB-MISC cpshost.dll access > 1 instances of WEB-IIS getdrvs.exe access > 1 instances of WEB-IIS anot.htr access > 1 instances of WEB-IIS search97.vts > 1 instances of WEB-FRONTPAGE shtml.exe > 1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access > 1 instances of WEB-FRONTPAGE form_results access > 1 instances of WEB-FRONTPAGE authors.pwd access > 1 instances of WEB-COLDFUSION beaninfo access > 1 instances of WEB-MISC convert.bas access > 1 instances of WEB-MISC AuthChangeUr accessl > 1 instances of WEB-IIS codebrowser SDK access > 1 instances of WEB-CGI wwwboard passwd access > 1 instances of WEB-MISC ws_ftp.ini access > 1 instances of WEB-MISC cart 32 AdminPwd access > 1 instances of WEB-COLDFUSION fileexists.cfm access > 1 instances of WEB-IIS adctest.asp access > 1 instances of WEB-COLDFUSION evaluate.cfm access > 1 instances of WEB-IIS CGImail.exe access > 1 instances of WEB-COLDFUSION snippets attempt attempt > 1 instances of WEB-COLDFUSION addcontent.cfm access > 1 instances of WEB-COLDFUSION cfcache.map access > 2 instances of WEB-MISC counter.exe access > 2 instances of WEB-COLDFUSION exampleapp application.cfm > 2 instances of WEB-IIS .asp access > 2 instances of WEB-FRONTPAGE users.pwd access > 2 instances of WEB-FRONTPAGE registrations.txt access > 2 instances of WEB-FRONTPAGE dvwssr.dll access > 2 instances of WEB-FRONTPAGE fpadmcgi.exe access > 2 instances of WEB-COLDFUSION cfappman access > 2 instances of WEB-IIS achg.htr access > 2 instances of WEB-FRONTPAGE _vti_rpc access > 2 instances of WEB-FRONTPAGE fpcount.exe access > 2 instances of WEB-IIS codebrowser Exair access > 2 instances of WEB-MISC shopping cart access access > 2 instances of WEB-MISC ICQ webserver DOS > 2 instances of WEB-IIS query.asp access > 2 instances of SMTP expn root > 2 instances of WEB-COLDFUSION application.cfm access > 2 instances of WEB-IIS _vti_inf access > 2 instances of WEB-IIS admin-default access > 3 instances of WEB-IIS *.idc attempt > 3 instances of WEB-CGI MachineInfo access > 3 instances of RPC portmap listing > 3 instances of WEB-IIS global-asa access > 3 instances of WEB-COLDFUSION expeval access > 3 instances of WEB-IIS asp-dot attempt > 3 instances of WEB-IIS codebrowser access > 3 instances of WEB-MISC Ecommerce checks.txt access > 3 instances of WEB-CGI webgais access > 3 instances of SCAN Synscan Portscan ID 19104 > 3 instances of WEB-IIS newdsn.exe access > 3 instances of WEB-CGI websendmail access > 3 instances of WEB-IIS jet vba access > 4 instances of WEB-CGI post-query access > 4 instances of WEB-CGI dumpenv.pl access > 4 instances of WEB-CGI AT-admin.cgi access > 4 instances of WEB-CGI whoisraw access > 5 instances of WEB-MISC get32.exe access > 5 instances of WEB-MISC .htpasswd access > 5 instances of WEB-CGI classifieds.cgi access > 5 instances of WEB-CGI sendform.cgi access > 5 instances of WEB-CGI w3-msql access > 5 instances of WEB-CGI files.pl access > 5 instances of WEB-CGI AnyForm2 access > 5 instances of WEB-CGI rksh access > 5 instances of WEB-IIS admin access > 6 instances of WEB-CGI bash access > 6 instances of WEB-CGI glimpse access > 6 instances of WEB-CGI maillist.pl access > 6 instances of WEB-CGI w2tvars.pm access > 6 instances of WEB-CGI wguest.exe access > 6 instances of WEB-MISC shopping cart directory traversal > 6 instances of WEB-CGI wais.p access > 6 instances of WEB-MISC /cgi-bin/jj attempt > 6 instances of WEB-CGI filemail access > 6 instances of WEB-CGI edit.pl access > 6 instances of WEB-CGI man.sh access > 7 instances of WEB-CGI pfdisplay.cgi access > 7 instances of WEB-MISC Ecommerce import.txt access > 7 instances of WEB-CGI www-sql access > 7 instances of WEB-IIS 5 .printer isapi > 7 instances of WEB-CGI archie access > 7 instances of WEB-MISC ~root > 7 instances of WEB-CGI day5datacopier.cgi access > 7 instances of WEB-MISC wwwboard.pl access > 7 instances of WEB-CGI environ.cgi access > 7 instances of WEB-CGI day5datanotifier.cgi access > 8 instances of WEB-CGI survey.cgi access > 8 instances of WEB-CGI redirect access > 8 instances of WEB-CGI calendar access > 8 instances of WEB-CGI perlshop.cgi access > 8 instances of WEB-CGI rsh access > 8 instances of WEB-MISC handler access > 8 instances of WEB-CGI rwwwshell.pl access > 8 instances of WEB-MISC guestbook.cgi access > 8 instances of WEB-CGI testcounter.pl access > 9 instances of WEB-MISC Domino log.nsf access > 9 instances of WEB-CGI info2www access > 9 instances of WEB-CGI upload.pl access > 9 instances of WEB-MISC order.log access > 9 instances of WEB-CGI ksh access > 9 instances of WEB-IIS iisadmpwd attempt > 10 instances of WEB-MISC mall log order access > 10 instances of WEB-MISC Domino names.nsf access > 10 instances of WEB-CGI bnbform.cgi access > 11 instances of WEB-CGI campas access > 11 instances of WEB-MISC /etc/passwd > 11 instances of WEB-MISC netscape admin passwd > 11 instances of WEB-CGI bb-hist.sh access > 12 instances of WEB-CGI htmlscript access > 12 instances of WEB-CGI faxsurvey access > 13 instances of WEB-MISC piranha passwd.php3 access > 13 instances of WEB-CGI NPH-publish access > 13 instances of WEB-CGI csh access > 13 instances of WEB-MISC nph-test-cgi access > 13 instances of WEB-CGI wwwadmin.pl access > 14 instances of WEB-MISC .htaccess access > 14 instances of WEB-MISC webdist.cgi access > 14 instances of WEB-MISC architext_query.pl access > 14 instances of WEB-CGI flexform access > 16 instances of WEB-CGI LWGate access > 16 instances of WEB-MISC bigconf.cgi access > 17 instances of WEB-MISC Attempt to execute cmd > 17 instances of WEB-CGI tsch access > 19 instances of WEB-MISC Domino domlog.nsf access > 19 instances of WEB-MISC wrap access > 19 instances of WEB-MISC Domino domcfg.nsf access > 20 instances of WEB-CGI finger access > 21 instances of WEB-CGI aglimpse access > 27 instances of WEB-CGI formmail access > 28 instances of WEB-FRONTPAGE fourdots request > 29 instances of WEB-CGI test-cgi access > 35 instances of WEB-CGI phf access > 54 instances of CUSTOM Port 515 traffic > 77 instances of FTP passwd attempt > 159 instances of WEB-MISC http directory traversal > 2369 instances of SCAN Proxy attempt > > There are 937 distinct destination IPs - we've taken steps on our end to > block this traffic. I wanted to give everyone a heads up in case your > next, and to see if anyone else is seeing similar traffic. > > Cheers, > -Doug > -- > Douglas P. Brown > University of North Carolina > Manager of Security Resources > 105 Abernethy Hall > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > >
This archive was generated by hypermail 2b30 : Sun Mar 03 2002 - 23:48:48 PST