('binary' encoding is not supported, stored as-is) Today near the end of the day my inbox was suddenly flooded with messages from my log monitoring tool that monitors my error_log on the webserver. At first I thought a new developer we setup today really goofed, but the ip address was wrong, as was the uris they were trying to hit. After going through a bunch I started seeing a pattern. All in all, I received almost 1500 hits in two minutes. I don't know the full extent of the script as once I discovered it I put in a filter at the firewall to block his ip completely. But that's how many he got in. The script appears to look for all the various application environments within the webserver directories (perl/php/frontpage/etc) as well as the popular appliations written with them (phpnuke, forums, CMS, etc). It also looks for a bunch of scripts I recognize as backdoor type scripts I've read of in the past for getting information out,a s well as trying to pull things like the passwd file and win.ini and so on using relative paths. It also tried the obvious buffer overflow attempts that IIS has fallen prey to, and checked for default.ida and similar items. When I dumped him I noticed he had already been blocked from a couple other nets it protects for portscans. perhaps this isn't a new script, but I've never seen anything like it on any of the other machines I administer. ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 22:10:00 PDT