Security Incidents mailing list archives
RE: unkown directory traversal attempts
From: Rob Keown <Keown () MACDIRECT COM>
Date: Sat, 13 Oct 2001 17:43:36 -0400
How many of these attempts do you see...looking at the intruding system it appears like a pretty normal server, behind a firewall. All the same, the signature is a bit odd looking. It is coming from a Chinese University...the web server does not appear to be infected by any know worm (as best I can tell)...was this just a once-and-done? NMAP findings: Host (202.119.199.39) appears to be up ... good. Initiating SYN half-open stealth scan against (202.119.199.39) Adding TCP port 25 (state open). Adding TCP port 21 (state open). Adding TCP port 554 (state open). Adding TCP port 80 (state open). Adding TCP port 111 (state open). Adding TCP port 23 (state open). The SYN scan took 113 seconds to scan 1523 ports. Interesting ports on (202.119.199.39): (The 1508 ports scanned but not shown below are in state: closed) Port State Service 13/tcp filtered daytime 21/tcp open ftp 22/tcp filtered ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 139/tcp filtered netbios-ssn 554/tcp open rtsp 1417/tcp filtered timbuktu-srv1 1433/tcp filtered ms-sql-s 1434/tcp filtered ms-sql-m 1723/tcp filtered pptp 5190/tcp filtered aol 8888/tcp filtered sun-answerbook ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- unkown directory traversal attempts Kevin Holmquist (Oct 13)
- <Possible follow-ups>
- RE: unkown directory traversal attempts Rob Keown (Oct 13)