RE: eEyeIsTheBest seen in http? (x-posted to Snort user list)

From: Arthur Donchey (adonchey-l@vpga.com)
Date: 09/27/01 

From: "Arthur Donchey" <adonchey-l@vpga.com>
To: "Tom Sevy" <tsevy@epx.com>, <FOCUS-IDS@SECURITYFOCUS.COM>
Subject: RE: eEyeIsTheBest seen in http?  (x-posted to Snort user list)
Date: Thu, 27 Sep 2001 17:58:51 -0400
Message-ID: <LDEBKAFJPEJLPJHICLCDEEFNCJAA.adonchey-l@vpga.com>

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it is eEye NimdaScn (Nimda Scaner
http://www.eeye.com/html/Research/Tools/nimda.html). Someone is
testing your servers for vulnerable or just testing them.

Arthur Donchey, CISSP

V.P.Griffen & Assoc. L.L.C.
http://www.vpga.com
adonchey@vpga.com

Skyline Internet Inc.
http://www.skylineinternet.com
adonchey@skylineinternet.com
 

- -----Original Message-----
From: Tom Sevy [mailto:tsevy@epx.com]
Sent: Thursday, September 27, 2001 4:45 PM
To: BugTraq FOCUS-IDS (FOCUS-IDS@SECURITYFOCUS.COM)
Subject: FW: eEyeIsTheBest seen in http? (x-posted to Snort user
list)

Has anyone else seen this?

I am seeing a handful of these, from internal machines, sometimes
going to
other segments in the network as well as to outside systems (web
servers).

Generated by ACID v0.9.6b13 on Thu September 27, 2001 16:33:32

- ----------------------------------------------------------------------
- ------
- --
#(4 - 58002) [2001-09-27 15:37:22] WEB-IIS cmd.exe Out
IPv4: 192.xxx.xx.xx -> xxx.xx.x.xx
      hlen=5 TOS=0 dlen=217 ID=5482 flags=0 offset=0 TTL=128
chksum=27285
TCP: port=4850 -> dport: 80 flags=***AP*** seq=3028858
      ack=2830731072 off=5 res=0 win=8490 urp=0 chksum=7675
Payload: length = 167

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET
/scripts/..%
010 : 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35
5c..%5c..%5c..%5
020 : 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F
cwinnt/system32/
030 : 63 6D 64 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 20
cmd.exe?/c+echo
040 : 65 45 79 65 49 73 54 68 65 42 65 73 74 20 49 73 eEyeIsTheBest
Is
050 : 54 68 65 42 65 73 74 20 48 54 54 50 2F 31 2E 31 TheBest
HTTP/1.1
060 : 0D 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 55 73 ..Host:
eeye..Us
070 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent:
Mozill
080 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0
(compatibl
090 : 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 57 69 e; MSIE 5.01;
Wi
0a0 : 6E 64 6F 77 73 20 4E ndows N

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO7OhGpK8PmUrnfh5EQLBTwCfa2FSaz70+mTHG0Ut8dRKKeg4eygAn0AO
F88tDkQeOlqQOjRxUPJRCETg
=TmeG
-----END PGP SIGNATURE-----