Re: Scan from Philipine Center on Transnational Crime

From: ATD (simonat_private)
Date: Mon Jun 23 2003 - 21:11:24 PDT

Next message: David Barnett: "War Dial on my PBX"

Previous message: Valdis.Kletnieksat_private: "Re: Intrusec 55808 Trojan Analysis"
In reply to: Joe Blatz: "Scan from Philipine Center on Transnational Crime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, 
   Actually ANVIL picked that up as well from the same 210 range. We
have 9 class C's here, all 9 were scanned. Thus far our total scan count
from that "area" is over 1500. We actually have a black list on our web
page if anyone is interested, with the reasons for the black listing.
(http://www.secnetops.com look on the bottom of the page).

   Something else that we've noticed too is a massive amount of scans
from uunet in CA, a total of approx 1300 scans, also recently
blacklisted. 


On Sun, 2003-06-22 at 14:33, Joe Blatz wrote:
> Normally I just skip over scans like this, but the
> source has aroused my curiosity.
> 
> >From 0352 - 0441 (PDT) on 6/22/03 all externally
> addressable web servers on our class B were scanned by
> 210.23.116.11. According the APNIC this address is
> registered to the Philippine Center on Transnational
> Crime. The scan was for the Escaped Characters
> Decoding vulnerability in IIS
> (http://www.securityfocus.com/bid/2708/discussion/).
> 
> It only checked
> http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
> and did not send any other packets that triggered the
> IDS.
> 
> Has anyone else seen anything from the 210.23.116.8 -
> 210.23.116.15 range?
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> 
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
-- 

Sincerely, 
        Adriel T. Desautels
        Secure Network Operations, Inc.
        http://www.secnetops.com
        DID: 978-263-3829 CELL: 978-790-6901

	ANVIL : http://www.secnetops.com/products

______________________________________________________________
SECNETOPS "Embracing the future of technology, protecting you"

application/pgp-signature attachment: This is a digitally signed message part

Next message: David Barnett: "War Dial on my PBX"
Previous message: Valdis.Kletnieksat_private: "Re: Intrusec 55808 Trojan Analysis"
In reply to: Joe Blatz: "Scan from Philipine Center on Transnational Crime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 20:35:38 PDT