Security Incidents mailing list archives

Scan from Philipine Center on Transnational Crime

From: Joe Blatz <sd_wireless () yahoo com>
Date: Sun, 22 Jun 2003 11:33:03 -0700 (PDT)

Normally I just skip over scans like this, but the
source has aroused my curiosity.

From 0352 - 0441 (PDT) on 6/22/03 all externally

addressable web servers on our class B were scanned by
210.23.116.11. According the APNIC this address is
registered to the Philippine Center on Transnational
Crime. The scan was for the Escaped Characters
Decoding vulnerability in IIS
(http://www.securityfocus.com/bid/2708/discussion/).

It only checked
http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
and did not send any other packets that triggered the
IDS.

Has anyone else seen anything from the 210.23.116.8 -
210.23.116.15 range?

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Scan from Philipine Center on Transnational Crime Joe Blatz (Jun 23)
- Re: Scan from Philipine Center on Transnational Crime ATD (Jun 24)