OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: dr john halewood (johnfrumious.unidec.co.uk)
Date: Tue Dec 18 2001 - 04:49:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There's a distinct pattern to these scans from wanadoo. Looking through some
    logs (I allow anonymous login but with read-only access on one box). I've
    noticed the following:
    the anonymous login password: frequently [A-Z]gpuserhome.com
    an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
    /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
    take place within a second, so it's definitely scripted. This is followed by
    an attempt to create a number of directories with a name such as
    011203022432p, where the first 6 digits are YYMMDD.

    Anyone recognise the tool?

    Cheers
    john

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com