New scanner?

From: Jeremy (
Date: 11/20/02

  • Next message: Don Voss: "Re: FTP and Win2K changed security policy"
    Date: Wed, 20 Nov 2002 07:29:57 -0800 (PST)
    From: Jeremy <>

    Hello all,

      My snort box picked this up yesterday fron two
    different source ip's and I was wondering if anyone
    had seen this pattern before. Both times snort logged
    718 alerts consisting of the following:

    1 instances of WEB-IIS multiple decode attempt
    1 instances of FTP invalid MODE
    1 instances of WEB-MISC http directory traversal
    2 instances of WEB-IIS scripts access
    2 instances of (spp_portscan2) Portscan detected
    3 instances of WEB-IIS script (File
    permission canonicalization)
    6 instances of POLICY FTP anonymous login attempt
    17 instances of WEB-IIS CodeRed v2 root.exe access
    685 instances of WEB-IIS cmd.exe access

    This may have been around awhile but its the first
    time I've seen it, so I figured I would ask. If this
    is something new I do have packets captures from all
    the alerts.


    Do you Yahoo!?
    Yahoo! Web Hosting - Let the expert host your site

    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: