Security Incidents mailing list archives
Use of HEAD in web server scan
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 29 Oct 2001 10:52:42 +1300 (NZDT)
I had not seen this before so I thought others might be interested. Last night someone (working through a machine in China :( ) attacked our main campus web server. Snort logged over 600 pobes. I asked the webserver support staff to check the logs to make sure that everything as OK and they came back very puzzled: they could find hardly any traffic from the IP and what there was was perfectly innocent. I went back to the snort logs and had a look at the packet dumps and found that they were all HEAD requests which appear not to be logged by IIS. The tool used uses HEAD request to establish if certain vulnerabilities exist, these include various directory traversal vulnerabilities, the presence of vulnerable cgi scripts etc. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Use of HEAD in web server scan Russell Fulton (Oct 28)
- Re: Use of HEAD in web server scan Mike Lewinski (Oct 28)