Re: Website Hacking Attempt - letting the IP Block owners know?
From: HC (keydet89@yahoo.com)Date: 06/23/02
- Next message: waycat: "how can i identify a bbs system server version ?"
- Previous message: Don Grover: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- In reply to: Paul Hutchings: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- Next in thread: Brian: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: HC <keydet89@yahoo.com> Date: Sat, 22 Jun 2002 19:28:31 -0400
Doesn't look like a virus at all...just a regular scanning tool. This
one isn't even very good...by default, IIS doesn't usually allow access
to the winnt dir. This tool doesn't even seem to have tried the dir
transversal exploit...and it keeps trying for files that it has already
failed on.
My best advice to you is to forget about it...the response codes are all
404. Whomever is running the tool isn't too bright...
> Hmm. I'm not too familiar with exactly what virii cause what
> requests...here's a sample of the log entries (I've xxx'd our IP).
>
> 15:31:39 62.73.168.17 - xxx.xxx.xxx.xxx GET
> /à\EUR\¯../winnt/system32/netstat.exe 404 3 80 -
> 15:31:39 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/nbtstat.exe 404
> 3 80 -
> 15:31:39 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ping.exe 404 3
> 80 -
> 15:31:39 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ipconfig.exe
> 404 3 80 -
> 15:31:39 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:40 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:40 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ipconfig.exe
> 404 3 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ipconfig.exe
> 404 3 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ping.exe 404 3
> 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ping.exe 404 3
> 80 -
> 15:31:41 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/tftp.exe 404 3
> 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/tftp.exe 404 3
> 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET
> /scripts/..Á%pc../winnt/system32/ping.exe 404 3 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/nbtstat.exe 404
> 3 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET
> /scripts/..Á%8s../winnt/system32/tftp.exe 404 3 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ping.exe 404 3
> 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx - - 404 2 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET
> /scripts/..À%qf../winnt/system32/nbtstat.exe 404 3 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/ipconfig.exe
> 404 3 80 -
> 15:31:42 62.73.168.17 - xxx.xxx.xxx.xxx GET /winnt/system32/netstat.exe 404
> 3 80 -
> 15:31:44 62.73.168.17 - xxx.xxx.xxx.xxx GET
> /scripts/..À%9v../winnt/system32/netstat.exe 404 3 80 -
>
>
- Next message: waycat: "how can i identify a bbs system server version ?"
- Previous message: Don Grover: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- In reply to: Paul Hutchings: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- Next in thread: Brian: "Re: Website Hacking Attempt - letting the IP Block owners know?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
