Hello all, My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following: 1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE 1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access 2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization) 6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts. Thanks, Jeremy __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 21 2002 - 17:18:26 PST