On Thu, 2002-11-21 at 04:29, Jeremy wrote: > Hello all, > > My snort box picked this up yesterday fron two > different source ip's and I was wondering if anyone > had seen this pattern before. Both times snort logged > 718 alerts consisting of the following: > > 1 instances of WEB-IIS multiple decode attempt > 1 instances of FTP invalid MODE > 1 instances of WEB-MISC http directory traversal > 2 instances of WEB-IIS scripts access > 2 instances of (spp_portscan2) Portscan detected > 3 instances of WEB-IIS Unicode2.pl script (File > permission canonicalization) > 6 instances of POLICY FTP anonymous login attempt > 17 instances of WEB-IIS CodeRed v2 root.exe access > 685 instances of WEB-IIS cmd.exe access I've been seeing many variations on this scheme (but not this exact one) over the last month or so. Most that I have investigated by looking at the argus logs are clearly FxScanner (probe to tcp 57 - gives it away). This tool is really a delivery vehicle for what ever exploits you want to code into it. I.e it is easily extend and there are now many variants floating around. Our record so far is 40,000 IIS exploits in an hour from one host delivered to web servers on campus. I can't remember if it checks to make sure it is IIS first or not. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 24 2002 - 14:13:19 PST