I've been seeing some instances in my apache logs from two IP addresses 63.x.x.219 and 63.x.x.218 (some examples are pasted below). As regarding the purpose of these scans three ideas come to my mind: 1) Trying to see the error response 2) Checking supported media types on the server Error response can be seen much easier than with this type of scan, so I ruled that out. As for the media types - nothing evil comes to my mind. Any ideas on this situation people? The scans usually take for 3-4 minutes where the typical scenario is this: /htdocs/numbers.ext (where there are 12 extenstions - noted below in the logs) /htdocs/subfolder/numbers.ext (the same 12 extensions always in the same pattern) and than other directories in web server's / + cgi-bin directory in the same manner [Fri Sep 27 01:40:00 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/16030.html [Fri Sep 27 01:40:01 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/15714.asp [Fri Sep 27 01:40:03 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/43195.jhtml [Fri Sep 27 01:40:04 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/49904.jsp [Fri Sep 27 01:40:06 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/56065.cfm [Fri Sep 27 01:40:08 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/77470.php [Fri Sep 27 01:40:10 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/37345.nsf [Fri Sep 27 01:40:12 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/54197.php3 [Fri Sep 27 01:40:14 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/7958.jrun [Fri Sep 27 01:40:17 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/52480.cgi [Fri Sep 27 01:40:19 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/45249.pl [Fri Sep 27 01:40:22 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/56683.cfn [Fri Sep 27 01:40:24 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/46910.html [Fri Sep 27 01:40:27 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/21391.asp [Fri Sep 27 01:40:29 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/6218.jhtml [Fri Sep 27 01:40:32 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/95675.jsp [Fri Sep 27 01:40:34 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/89236.cfm [Fri Sep 27 01:40:37 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/41507.php [Fri Sep 27 01:40:40 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/29585.nsf [Fri Sep 27 01:40:43 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/99426.php3 [Fri Sep 27 01:40:46 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/81427.jrun [Fri Sep 27 01:40:49 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/79607.cgi [Fri Sep 27 01:40:52 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/96265.pl [Fri Sep 27 01:40:54 2002] [error] [client 63.x.x.219] File does not exist: /wwwserv/htdocs/int/81442.cfn Thanks, = Sam = -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 19:15:35 PDT