Security Incidents mailing list archives
HTTP attacks over weekend
From: phred () PACIFICWEST COM (phred () PACIFICWEST COM)
Date: Mon, 24 Apr 2000 19:35:16 -0400
My site under went a number of generic HTTP attacks this weekend that were recorded by RealSecure. Attacks were initiated from 4 different IPs. They used a hogpog of attacks reflecting no specific knowledge of my site. ISS.net will have full description of attack signature. From: 212.176.36.12
FromPort Date To To Port EventName Information
2281 4/23/00 8:30:18AM 206.81. 80 HTTP_IE_BAT URL /....../autoexec.bat 2283 4/23/00 8:30:19AM 206.81. 80 HTTP_IIS$DATA URL /default.asp::$DATA 2284 4/23/00 8:30:19AM 206.81. 80 HTTP_IE_BAT URL /ows-bin/*.bat 2285 4/23/00 8:30:19AM 206.81. 80 HTTP_Netscape_SpaceView URL /cgi-bin/edit.pl 2286 4/23/00 8:30:20AM 206.81. 80 HTTP_Netscape_SpaceView URL /.html/............./config.sys 2288 4/23/00 8:30:21AM 206.81. 80 HTTP_Netscape_SpaceView URL /doc 2289 4/23/00 8:30:21AM 206.81. 80 HTTP_Novell_Files URL /perl/files.pl 2291 4/23/00 8:30:22AM 206.81. 80 HTTP_Netscape_PageServices URL /?PageServices 2297 4/23/00 8:30:26AM 206.81. 80 HTTP_Unix_Passwords URL /etc/passwd 2300 4/23/00 8:30:28AM 206.81. 80 HTTP_Netscape_SpaceView URL /cgi-bin/rwwwshell.pl 2303 4/23/00 8:30:29AM 206.81. 80 HTTP_WebFinger URL /cgi-bin/finger 2307 4/23/00 8:30:32AM 206.81. 80 HTTP_WebFinger URL /cgi-bin/finger?@localhost 2322 4/23/00 8:30:44AM 206.81. 80 HTTP_IE_BAT URL /cgi-bin/test.bat 2327 4/23/00 8:31:32AM 206.81. 80 HTTP_TestCgi URL /cgi-bin/test-cgi 2340 4/23/00 8:31:39AM 206.81. 80 HTTP_Netscape_SpaceView URL /_vti_pvt/authors.pwd Unable to find any TLD information for this domain. Please check the domain and verify that it is part of a valid top level domain. "217.176.36.12 -arin" From: 212.109.41.100
FromPort Date To To Port EventName Information
3285 4/22/00 7:13:12AM 206.81. 80 HTTP_PHF URL //cgi-bin/phf.cgi 3311 4/22/00 7:14:25AM 206.81. 80 HTTP_IE_BAT URL //....../autoexec.bat 3343 4/22/00 7:15:26AM 206.81. 80 HTTP_WebSite_Uploader URL //cgi-win/uploader.exe 3345 4/22/00 7:15:29AM 206.81. 80 HTTP_IE_BAT URL //cgi-dos/args.bat 3359 4/22/00 7:15:42AM 206.81. 80 HTTP_Netscape_PageServices URL //?PageServices % Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 212.109.41.0 - 212.109.41.127 netname: SA-KHARKOV-SOVAMNET descr: 26, Konstitutsiyi sq., suite 23 descr: Kharkov country: UA admin-c: OG965-RIPE tech-c: OG965-RIPE status: ASSIGNED PA notify: oleg () sa net ua mnt-by: SOVAMUA-MNT changed: doka () kiev sovam com 19991105 source: RIPE From: 63.17.219.174
FromPort Date To To Port EventName Information
3527 4/22/00 12:20:43PM 206.81. 80 HTTP_Novell_Files URL/perl/files.pl 3635 4/22/00 12:21:00PM 206.81. 80 HTTP_Netscape_SpaceView URL/ss.cfg 3654 4/22/00 12:21:02PM 206.81. 80 HTTP_IE_BAT URL/cgi-dos/args.bat UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU) 3060 Williams Drive, Suite 601 Fairfax, va 22031 US Netname: NETBLK-UUNET97DU Netblock: 63.0.0.0 - 63.41.255.255 Maintainer: UUDA Coordinator: UUnet, AlterNet - Technical Support (OA12-ARIN) help () UUNET UU NET () - From: 193.232.88.16
FromPort Date To To Port EventName Information
2361 4/23/00 8:30:12AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 21970 4/23/00 8:34:38AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 36764 4/23/00 8:38:08AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 51953 4/23/00 8:41:38AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 9836 4/23/00 8:46:55AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 40840 4/23/00 8:53:56AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 5398 4/23/00 9:00:57AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 2366 4/23/00 9:11:40AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 45994 4/23/00 9:22:11AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 24707 4/23/00 9:32:41AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 1947 4/23/00 9:43:13AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe 45022 4/23/00 9:53:39AM 206.81. 80 HTTP_WebSite_Uploader URL /cgi-win/uploader.exe % Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 193.232.88.0 - 193.232.91.255 netname: ROSPRINT-NET descr: RoSprint Company descr: Data Communications descr: Moscow, Russia country: RU admin-c: AP9-RIPE tech-c: AP9-RIPE mnt-by: ROSPRINT-NCC changed: pooh () ipnms rosprint net 19960202 source: RIPE route: 193.232.88.0/22 descr: ROSPRINT-NET origin: AS2854 mnt-by: ROSPRINT-NCC changed: andrew () ipnms rosprint net 19950908 source: RIPE person: Andrey Petukhov address: Global One Russia (RoSprint) address: 7 Tverskaya ul, Ent. #7, address: Moscow, 103375 address: Russia phone: +7 095 705 9229 fax-no: +7 095 929 9363 e-mail: pooh () ipnms rosprint net nic-hdl: AP9-RIPE mnt-by: ROSPRINT-NCC changed: pooh () ipnms rosprint net 19970121 changed: dru () ipnms rosprint net 19981104 source: RIPE ---------------------------------------------------------------- Get your free email from AltaVista at http://altavista.iname.com
Current thread:
- HTTP attacks over weekend phred () PACIFICWEST COM (Apr 24)