RE: Increased IIS scans mainly on - Update

From: Richard Gilman (Richard.Gilmanat_private)
Date: Mon Aug 19 2002 - 08:19:12 PDT

  • Next message: Michael B. Morell: "AOL "proxy" behavior?"

    I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our network and I see 31 sources each send in multiples of 13
    attempts. Of the 31 hosts, 3 sources were not from 66/8. One of those
    was from with 130 hits. The hits can come as fast as 2 per
    second, so I assume that it has to be scripted. This is only an
    annoyance and does not do anything more that make noise in my logs, but
    I think it is some sort of worm because of the fact they all send in
    multiples of 13 and it seems that the odds of having 31 script kiddies
    running the same script against our site in the same day is fairly low
    and over a month we have 448 different sources doing the same thing.
    Just an observation if you are interested.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:43:25 PDT