Scan from Philipine Center on Transnational Crime

From: Joe Blatz (sd_wireless_at_yahoo.com)
Date: 06/22/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
    Date: Sun, 22 Jun 2003 11:33:03 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    Normally I just skip over scans like this, but the
    source has aroused my curiosity.

    From 0352 - 0441 (PDT) on 6/22/03 all externally
    addressable web servers on our class B were scanned by
    210.23.116.11. According the APNIC this address is
    registered to the Philippine Center on Transnational
    Crime. The scan was for the Escaped Characters
    Decoding vulnerability in IIS
    (http://www.securityfocus.com/bid/2708/discussion/).

    It only checked
    http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
    and did not send any other packets that triggered the
    IDS.

    Has anyone else seen anything from the 210.23.116.8 -
    210.23.116.15 range?

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"

    Relevant Pages

    • Application level IDS?
      ... hidden-fields tampering, cookie poisoning etc. while ... SBC Yahoo! ... world's premier technical IT security event! ... 10 tracks, 15 training sessions, ...
      (Focus-IDS)
    • Re: Foundry ServerIronXL Question
      ... > Early-bird registration ends July 3. ... This event will sell out. ... world's premier technical IT security event! ... 10 tracks, 15 training sessions, ...
      (Focus-IDS)
    • RE: Rather funny; looks like page defacement to me
      ... I think that Gartner Group themselves have become a victim of their own ... world's premier technical IT security event! ... Early-bird registration ends July 3. ... This event will sell out. ...
      (Focus-IDS)
    • RE: tcp/19150 scans
      ... world's premier technical IT security event! ... Early-bird registration ends July 3. ... This event will sell out. ... See for yourself what the buzz is about! ...
      (Incidents)
    • Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover
      ... Cisco IOS Denial of Service that affects most Cisco IOS ... > world's premier technical IT security event! ... > Early-bird registration ends July 3. ... This event will sell out. ...
      (Incidents)