Paul, None of the entries seems overly malicious...actually, a couple of them are hardly original. From the except you've provided, it looks as if a scan w/ any one of a number of scanners was conducted...one that isn't overly intelligent. So...other than the scan, I don't see anything particularly malicious. If these are all "404"s, then I don't really see where the quandry is, nor do I see how an offensive would be mounted... > /cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output > _number=10 *VERY* old attempt to cat the etc/passwd file. This used to be searchable via AltaVista...use of shadowed password files obviated it. > /perl/ 1 - Attempt at Perl... > /cgi-bin/test-cgi.bat?|ver 1 - Attempt at a CGI script. > /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: > 1 - > /cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini > 1 - > /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\ > Attempts at dir. transversal on IIS. > My question to everyone out there is would anyone be > able to tell me if > this kind of attack has the fingerprints of any > known software/viruses > in the field or is it a deliberate attempt to gain > access to my clients site? It's a scan, nothing more. It would help if you'd been a little more clear on the response codes...but the attempts are obviously against a wide range of systems...the etc/passwd attempt, for example, *used* to work on Linux/*nix systems. The last three entries are specific to IIS. Whoever ran the scan didn't even bother to use a scanner intelligent enough to do banner grabbing in order to narrow down the os/web server of the target. Again, I don't see where the quandry lies, and I don't see any sort of "attack" in what you've posted. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 19:30:12 PST