OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Moran (steve.moran_at_csssoftware.com)
Date: Mon Dec 02 2002 - 11:10:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Lately I've seen some odd port 80 scans, these scans have been setting
    off somewhere in the neighborhood of 160-250 different snort signatures.
    There have been 3 of these scans. One to my mail server, which is on
    one class c network ( a 198 network), the other two where to an entirely
    different class c (a 65 network). These scans are very efficient, ie
    only 1-3 packets per type of exploit. They are not targeted, ie they
    are looking for any exploit, lotus, windows, apache, anything. One
    admin said he found an executable called network32 on his dns server and
    many registry entries to have it automatically start. It was in the
    win32\label directory. The second attack was from italy, from what
    appears to be some small italian town's website ( I don't speak or read
    italian so I'm not entirely sure), but I have not gotten any response
    from requests for help regarding the scan. I'm still collecting info on
    the third and latest scan. I don't think I'm being deliberately
    targeted, as these scans are way too noisy, personally, if it was me,
    I'd at least take the time to do some recon and tailor my attack to the
    type of web server.
    As nothing has been comprosmised and no damage done, law enforcement
    doesn't really care. As there are close to 1000 packets and, like I
    said 160-250 different types of attacks, reporting them is very hard,
    and no one really seems to care (no damage).
    Is anyone else seeing this sort of traffic lately? I have 3 snort
    sensors, and they've been running for close to 2 years, and these
    attacks have registered on two different sensors, running different
    versions of snort, so I doubt its a snort freak out that's caused this.
    Is any one aware of some sort of new bug doing this?

    -------------------------------------------------------
    This SF.net email is sponsored by: Get the new Palm Tungsten T
    handheld. Power & Color in a compact size!
    http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users