|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Scott A. McIntyre (scott_at_xs4all.net)
Date: Wed Sep 11 2002 - 14:35:13 CDT
I'm trying to identify whatever the tool is that seems to be annoying
our networks. It has a number of characteristics, and seems to be
mostly aimed towards vulnerable Windows machines, but I'm making no
assumptions there.
Symptoms:
o ICMP packets with payload of "hello ???"
o IIS exploits ala Nimda style (and others)
o FTP server testing for anonymous capabilities
o TCP port 57 probing.
The IIS queries are along the lines of:
HEAD /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
HEAD /msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
HEAD /msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
And so on.
FTP logs in as anonymous with password of "ano
ano.com"
I'm not really sure what the 57/tcp is about however.
Anyone know what tool is?
Thanks,
Scott
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]