Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scan from Philipine Center on Transnational Crime

From: ATD <simon () snosoft com>
Date: 24 Jun 2003 00:11:24 -0400
Hi, 
   Actually ANVIL picked that up as well from the same 210 range. We
have 9 class C's here, all 9 were scanned. Thus far our total scan count
from that "area" is over 1500. We actually have a black list on our web
page if anyone is interested, with the reasons for the black listing.
(http://www.secnetops.com look on the bottom of the page).

   Something else that we've noticed too is a massive amount of scans
from uunet in CA, a total of approx 1300 scans, also recently
blacklisted. 


On Sun, 2003-06-22 at 14:33, Joe Blatz wrote:

Normally I just skip over scans like this, but the
source has aroused my curiosity.


From 0352 - 0441 (PDT) on 6/22/03 all externally

addressable web servers on our class B were scanned by
210.23.116.11. According the APNIC this address is
registered to the Philippine Center on Transnational
Crime. The scan was for the Escaped Characters
Decoding vulnerability in IIS
(http://www.securityfocus.com/bid/2708/discussion/).

It only checked
http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
and did not send any other packets that triggered the
IDS.

Has anyone else seen anything from the 210.23.116.8 -
210.23.116.15 range?

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

-- 

Sincerely, 
        Adriel T. Desautels
        Secure Network Operations, Inc.
        http://www.secnetops.com
        DID: 978-263-3829 CELL: 978-790-6901

        ANVIL : http://www.secnetops.com/products

______________________________________________________________
SECNETOPS "Embracing the future of technology, protecting you"

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: