RE: Need help to find web server attacks signature
From: Mike Brownbill (mike.brownbill_at_dsl.pipex.com)
Date: 10/22/03
- Previous message: Mike Anderson: "RE: Bogus DNS traffic"
- In reply to: Maxime Ducharme: "Need help to find web server attacks signature"
- Next in thread: Tri Huynh: "Re: Need help to find web server attacks signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Wed, 22 Oct 2003 20:49:54 +0100
I can't name the scanner itself but it's looking like a simple brute-force
against a list of forum scripts (most likely vulnerable) which the attacker
has. A probable explanation for the request of the images is to enumerate
whether or not the forum which uses said images is present on the server.
It's a very cack-handed attack - a more intelligent/experienced attacker
would have used google to check for the forum/(whatever system, looks like a
forum with age.pl/header.php, etc)'s existence on the server rather than
doing it in this manner. The fact that further down the page you see an
attempt to tunnel the /etc/passwd file from an IIS server(?!?!?) points to a
script kiddy. If I was you I'd check that the relevant scripts that got a
200 are up to date with the latest vendor patches - if you are very
concerned then do a whois on the attacking ip and contact their ISP. As I
have said in a very round and about manner, it's a rather awfully attempted
attack and doesn't point to the webserver being targetted personally (again,
probably just a script kiddy scanning about - an attacked with intent of
taking that specific site would have a better knowledge of the site and it's
scripts.
Anywho, hope that helps,
Mike Brownbill
-----Original Message-----
From: Maxime Ducharme [mailto:maxime@pandore-design.com]
Sent: Wednesday, October 22, 2003 6:43 PM
To: incidents@securityfocus.com
Subject: Need help to find web server attacks signature
Hi all,
i'd need help to identify an attack that happened on one of our
customer's web server yesterday, I put the log file here :
http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt
I see some attacks that seem to be a security scanner tool,
and some attacks which targets specific pages of the web site
(where we begin to see 200 responses from the web server).
Someone recognize a tool / virus / worm in this ?
Thanks in advance for help
---------------------------------------------------------------
Maxime Ducharme
Administrateur reseau, Programmeur
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
- Previous message: Mike Anderson: "RE: Bogus DNS traffic"
- In reply to: Maxime Ducharme: "Need help to find web server attacks signature"
- Next in thread: Tri Huynh: "Re: Need help to find web server attacks signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
