Re: Scan from Philipine Center on Transnational Crime
From: ATD (simon_at_snosoft.com)
Date: 06/24/03
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
- In reply to: Joe Blatz: "Scan from Philipine Center on Transnational Crime"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Joe Blatz <sd_wireless@yahoo.com> Date: 24 Jun 2003 00:11:24 -0400
Hi,
Actually ANVIL picked that up as well from the same 210 range. We
have 9 class C's here, all 9 were scanned. Thus far our total scan count
from that "area" is over 1500. We actually have a black list on our web
page if anyone is interested, with the reasons for the black listing.
(http://www.secnetops.com look on the bottom of the page).
Something else that we've noticed too is a massive amount of scans
from uunet in CA, a total of approx 1300 scans, also recently
blacklisted.
On Sun, 2003-06-22 at 14:33, Joe Blatz wrote:
> Normally I just skip over scans like this, but the
> source has aroused my curiosity.
>
> >From 0352 - 0441 (PDT) on 6/22/03 all externally
> addressable web servers on our class B were scanned by
> 210.23.116.11. According the APNIC this address is
> registered to the Philippine Center on Transnational
> Crime. The scan was for the Escaped Characters
> Decoding vulnerability in IIS
> (http://www.securityfocus.com/bid/2708/discussion/).
>
> It only checked
> http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
> and did not send any other packets that triggered the
> IDS.
>
> Has anyone else seen anything from the 210.23.116.8 -
> 210.23.116.15 range?
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to
> "underground" security specialists. See for yourself what the buzz is about!
> Early-bird registration ends July 3. This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
--
Sincerely,
Adriel T. Desautels
Secure Network Operations, Inc.
http://www.secnetops.com
DID: 978-263-3829 CELL: 978-790-6901
ANVIL : http://www.secnetops.com/products
______________________________________________________________
SECNETOPS "Embracing the future of technology, protecting you"
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
- In reply to: Joe Blatz: "Scan from Philipine Center on Transnational Crime"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
