New intrusion script?

[Mark Bainter <mark-spamx () webtech dresser com>]

Today near the end of the day my inbox was suddenly
flooded with messages from my log monitoring tool that
monitors my error_log on the webserver.  At first I
thought a new developer we setup today really goofed,
but the ip address was wrong, as was the uris they were
trying to hit.

After going through a bunch I started seeing a pattern.
 All in all, I received almost 1500 hits in two
minutes.  I don't know the full extent of the script as
once I discovered it I put in a filter at the firewall
to block his ip completely.  But that's how many he got in.

The script appears to look for all the various
application environments within the webserver
directories (perl/php/frontpage/etc) as well as the
popular appliations written with them (phpnuke, forums,
CMS, etc).  It also looks for a bunch of scripts I
recognize as backdoor type scripts I've read of in the
past for getting information out,a s well as trying to
pull things like the passwd file and win.ini and so on
using relative paths.  It also tried the obvious buffer
overflow attempts that IIS has fallen prey to, and
checked for default.ida and similar items.

When I dumped him I noticed he had already been blocked
from a couple other nets it protects for portscans.  

perhaps this isn't a new script, but I've never seen
anything like it on any of the other machines I
administer.  

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------