Hi, quentynat_private wrote: > "Jay D. Dyson" wrote: >> On Tue, 11 Jun 2002, Sweth Chandramouli wrote: >>>> Here's what I'm seeing -- anyone have any information on this variant? >>>> /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b >>>> /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam >>>> /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam > how many hits per IP ? I have something similar but from only 1 IP with > 2k + alerts (across all our sites) - I have just dome some checking and > it appears to be very consistent with 709 connections per site ( using > apache logs rather then snort logs for the connection attempts). the attacker seems to add more tests then, on Apr 11 one dialup address run 504 requests each against five webservers in my network. The requests came in to all five servers at about the same time, the "galaxy_XXXXX.YYYYY" file was always requested first and the numbers behind galaxy where all different (galaxy_15784.16130, galaxy_16148.16494, galaxy_16240.16586, galaxy_15272.15618, galaxy_14748.15094). No requests for *.cif where seen in this case, and no requests for repair/sam either. Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 11:26:22 PDT