Hello list, I've got today a series of alerts logged on my IDS regarding multiple known web servers/applications vulnerabilities. On a normal situation, I would find that "normal", since it happens on a regular basis. The strange thing of this scan, with fixed source I.P., was that, by analizing packet payload, I noticed that the User-Agent host header user contained diferent (very diferent ) values for each request. And I do mean a diferent user-agent for each one. The first thing that came to mind was that it might just be gateway or some kind of proxy forwarding the requests. But I would find that rather dificult because mainly because of two facts: A - Source port allways increments by one. B - All requests (96) where made on an interval window of 7 seconds. My question is simple and related only with curiosity. Does anyone here knows of a tool that acts like this? For the curious, the user-agent's sent where all variations of: Mozilla/3.01 Mozilla/4.0 Mozilla/4.6 Mozilla/4.7 Mozilla/4.72 Mozilla/4.73 Thanks in advance, Joao Gouveia ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 21:45:46 PDT