"Jay D. Dyson" wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 11 Jun 2002, Sweth Chandramouli wrote: > > > > Here's what I'm seeing -- anyone have any information on this variant? > > > /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b > > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam > > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam > > > > how many hits per IP ? I have something similar but from only 1 IP with 2k + alerts (across all our sites) - I have just dome some checking and it appears to be very consistent with 709 connections per site ( using apache logs rather then snort logs for the connection attempts). same IP was also looking for a file called "galaxy_25684.26030" but I don't see requests for *.cif at all. The number in the file name appears to increment as well ( both numbers). I have also seen requests for (from the same IP) /adsamples/check.bat/..À¯..À¯..À¯winnt/system32/cmd.exe curious, looking in the denied packet logs I also see loads of denied connection attempts from this IP at the same time to port 80 on our whole range (ie scanning for web servers) as well as 2 netbios requests 7hrs later.... Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### and you're going to burn in hell. The other is that sex is the most awful, filthy thing on earth. And you should save it for someone you love. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 11:17:23 PDT