Re: [logs] First post; new http probe?

From: Chris Adams (cadamsat_private)
Date: Sat Aug 17 2002 - 18:07:45 PDT

  • Next message: Nick Starai: "[logs] Central syslog server"

    On Saturday, August 17, 2002, at 05:25 , John Sage wrote:
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    > 08/17-08:25:50.085392 172.183.59.40:3598 -> 12.82.137.167:80
    > TCP TTL:110 TOS:0x0 ID:443 IpLen:20 DgmLen:96 DF
    > ***AP*** Seq: 0x3F790CAD  Ack: 0x2D9D50B7  Win: 0x4510  TcpLen: 20
    > 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 2B  GET /global.asa+
    > 2E 68 74 72 20 48 54 54 50 2F 31 2E 31 0D 0A 48  .htr HTTP/1.1..H
    > 6F 73 74 3A 20 31 32 2E 38 32 2E 31 33 37 2E 31  ost: 12.82.137.1
    > 36 37 0D 0A 0D 0A 0D 0A                          67......
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    > :
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    > 08/17-08:25:51.915771 172.183.59.40:3761 -> 12.82.137.167:80
    > TCP TTL:110 TOS:0x0 ID:682 IpLen:20 DgmLen:104 DF
    > ***AP*** Seq: 0x3FFAE785  Ack: 0x2DB72099  Win: 0x4510  TcpLen: 20
    > 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 5C  GET /global.asa\
    > 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
    > 20 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A   12.82.137.167..
    > 54 72 61 6E 73 6C 61 74 65 3A 20 66 0D 0A 0D 0A  Translate: f....
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    >
    
    They're trying several techniques to get the unparsed global.asa file. 
    global.asa is included by the ASP engine for any .asp page and many ASP 
    sites use that file to do things like establish databases or configure 
    global settings. It's very common for it to contain interesting things 
    like database hosts, usernames and passwords, which would fit if they're 
    probing port 1433 - they're just trying a few different ways of finding 
    and breaking into MS SQL Servers.
    
    > And what is this? It seems to show up in some log files that are
    > captioned in Chinese (?): http://sjpchome.com/jiaocheng/jiaoc245.htm
    > :
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    > 08/17-08:25:59.476450 172.183.59.40:4191 -> 12.82.137.167:80
    > TCP TTL:110 TOS:0x0 ID:1651 IpLen:20 DgmLen:88 DF
    > ***AP*** Seq: 0x415BB0BD  Ack: 0x2DAD448F  Win: 0x4510  TcpLen: 20
    > 47 45 54 20 2F 4C 69 6E 75 78 2E 69 64 61 20 48  GET /Linux.ida H
    > 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31  TTP/1.1..Host: 1
    > 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 0D 0A  2.82.137.167....
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    > +
    
    It's a guess but I bet one of the Linux ASP implementations (Chilisoft?) 
    uses that similarly to the global.asa file.
    
    Chris
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    https://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Sat Aug 17 2002 - 18:18:30 PDT