I'm trying to identify whatever the tool is that seems to be annoying our networks. It has a number of characteristics, and seems to be mostly aimed towards vulnerable Windows machines, but I'm making no assumptions there. Symptoms: o ICMP packets with payload of "hello ???" o IIS exploits ala Nimda style (and others) o FTP server testing for anonymous capabilities o TCP port 57 probing. The IIS queries are along the lines of: HEAD /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\ HEAD /msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\ HEAD /msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ And so on. FTP logs in as anonymous with password of "anoat_private" I'm not really sure what the 57/tcp is about however. Anyone know what tool is? Thanks, Scott ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 15:38:17 PDT