Normally I just skip over scans like this, but the source has aroused my curiosity. From 0352 - 0441 (PDT) on 6/22/03 all externally addressable web servers on our class B were scanned by 210.23.116.11. According the APNIC this address is registered to the Philippine Center on Transnational Crime. The scan was for the Escaped Characters Decoding vulnerability in IIS (http://www.securityfocus.com/bid/2708/discussion/). It only checked http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ and did not send any other packets that triggered the IDS. Has anyone else seen anything from the 210.23.116.8 - 210.23.116.15 range? __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 18:05:57 PDT