Re: [logs] First post; new http probe?

• Previous message: John Sage: "[logs] First post; new http probe?"
• In reply to: John Sage: "[logs] First post; new http probe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Saturday, August 17, 2002, at 05:25 , John Sage wrote:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +
> 08/17-08:25:50.085392 172.183.59.40:3598 -> 12.82.137.167:80
> TCP TTL:110 TOS:0x0 ID:443 IpLen:20 DgmLen:96 DF
> ***AP*** Seq: 0x3F790CAD  Ack: 0x2D9D50B7  Win: 0x4510  TcpLen: 20
> 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 2B  GET /global.asa+
> 2E 68 74 72 20 48 54 54 50 2F 31 2E 31 0D 0A 48  .htr HTTP/1.1..H
> 6F 73 74 3A 20 31 32 2E 38 32 2E 31 33 37 2E 31  ost: 12.82.137.1
> 36 37 0D 0A 0D 0A 0D 0A                          67......
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +
> :
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +
> 08/17-08:25:51.915771 172.183.59.40:3761 -> 12.82.137.167:80
> TCP TTL:110 TOS:0x0 ID:682 IpLen:20 DgmLen:104 DF
> ***AP*** Seq: 0x3FFAE785  Ack: 0x2DB72099  Win: 0x4510  TcpLen: 20
> 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 5C  GET /global.asa\
> 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
> 20 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A   12.82.137.167..
> 54 72 61 6E 73 6C 61 74 65 3A 20 66 0D 0A 0D 0A  Translate: f....
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +
>

They're trying several techniques to get the unparsed global.asa file. 
global.asa is included by the ASP engine for any .asp page and many ASP 
sites use that file to do things like establish databases or configure 
global settings. It's very common for it to contain interesting things 
like database hosts, usernames and passwords, which would fit if they're 
probing port 1433 - they're just trying a few different ways of finding 
and breaking into MS SQL Servers.

> And what is this? It seems to show up in some log files that are
> captioned in Chinese (?): http://sjpchome.com/jiaocheng/jiaoc245.htm
> :
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +
> 08/17-08:25:59.476450 172.183.59.40:4191 -> 12.82.137.167:80
> TCP TTL:110 TOS:0x0 ID:1651 IpLen:20 DgmLen:88 DF
> ***AP*** Seq: 0x415BB0BD  Ack: 0x2DAD448F  Win: 0x4510  TcpLen: 20
> 47 45 54 20 2F 4C 69 6E 75 78 2E 69 64 61 20 48  GET /Linux.ida H
> 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31  TTP/1.1..Host: 1
> 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 0D 0A  2.82.137.167....
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +

It's a guess but I bet one of the Linux ASP implementations (Chilisoft?) 
uses that similarly to the global.asa file.

Chris

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Nick Starai: "[logs] Central syslog server"
• Previous message: John Sage: "[logs] First post; new http probe?"
• In reply to: John Sage: "[logs] First post; new http probe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 17 2002 - 18:18:30 PDT