('binary' encoding is not supported, stored as-is) In-Reply-To: <OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468at_private> Hello Jason, Thanks for your help. >Can you post (or provide a link) to the full tcpdump traces for this scan >pattern? It might aid in the analysis. The full tcpdump trace is quite long, about 1.7MB per attack, so I can't post it here. It would be a real pain-in-the-ass to sanitize it, so I don't really want to post or distribute it anyway. If you really, really want to take a look at it, I can sanitize it and email it to you directly. >When you say TCP connect, I assume you mean that you saw a simple >connection to see if the port is listening (as accomplished with '$ nmap >-sT ...'). Or did you also see a HEAD or GET request to determine if this >was an IIS server? I mean a simple connection to the port, not a HEAD or GET. This attack didn't care that I was not running IIS. I also did not see a ping sweep prior to the attacks, although I only checked up to 2 hours earlier. Thank you, Mark Embrich ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 16:16:15 PDT