Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: dr john halewood (johnfrumious.unidec.co.uk)
Date: Tue Dec 18 2001 - 04:49:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There's a distinct pattern to these scans from wanadoo. Looking through some
    logs (I allow anonymous login but with read-only access on one box). I've
    noticed the following:
    the anonymous login password: frequently [A-Z]gpuserhome.com
    an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
    /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
    take place within a second, so it's definitely scripted. This is followed by
    an attempt to create a number of directories with a name such as
    011203022432p, where the first 6 digits are YYMMDD.

    Anyone recognise the tool?


    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com