Scan from Philipine Center on Transnational Crime

From: Joe Blatz (sd_wireless_at_yahoo.com)
Date: 06/22/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
    Date: Sun, 22 Jun 2003 11:33:03 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    Normally I just skip over scans like this, but the
    source has aroused my curiosity.

    From 0352 - 0441 (PDT) on 6/22/03 all externally
    addressable web servers on our class B were scanned by
    210.23.116.11. According the APNIC this address is
    registered to the Philippine Center on Transnational
    Crime. The scan was for the Escaped Characters
    Decoding vulnerability in IIS
    (http://www.securityfocus.com/bid/2708/discussion/).

    It only checked
    http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
    and did not send any other packets that triggered the
    IDS.

    Has anyone else seen anything from the 210.23.116.8 -
    210.23.116.15 range?

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"