New and unique IIS log entries.

From: Ken Goods (KGoods_at_AIAINSURANCE.COM)
Date: 06/12/03

  • Next message: MK: "Chat with MS!" 
    Date:         Thu, 12 Jun 2003 10:14:33 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Just a friendly heads up and am curious if anyone has experienced this or
    knows anything about it.

    During my normal morning log review a couple days ago I noticed something
    out of the ordinary. I am used to seeing anywhere from 10 to 30 unique IP
    addresses showing some form of code red (or blue), Nimda, etc., and these
    I'm sure will continue. But on 6/9 I noticed some log entries that were
    unique in, (1) the volume of attempts and, (2) the sheer number of different
    vulnerabilities attempted. There were two unique requesting IP addresses and
    both seemed to try the same exploits in the same order. The first address
    (61.54.101.x) made 1773 attempts in 2 minutes 28 seconds for an average of
    ~12 attempts per second. The second (217.136.76.x) made 1849 attempts in 1
    minute 46 seconds averaging ~17.5 attempts per second. I have not had a
    chance to look at each and every log entry but from what I have seen, it
    looks like most are trying to exploit known vulnerabilities. However, I have
    not seen nor heard of any automated (obviously) tool that operates this way
    nor have I seen log entries similar to these before. And I have never seen
    one that tries so many different vulnerabilities against so many different
    folders.

    My curiosity is up and I'm wondering if this is a vulnerability scanner or a
    new virus/worm of some sort. Has anyone else noticed these types of log
    entries? If anyone else is curious and wants to see the log entries I would
    be happy to get them to you.

    Regards,
    Ken

    Ken Goods
    Network Administrator
    MIS Dept.
    AIA Insurance, Inc.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: MK: "Chat with MS!"
    • Quantcast