Snort mailing list archives
Re: eEyeIsTheBest seen in http?
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 27 Sep 2001 13:53:28 -0700 (PDT)
On Thu, 27 Sep 2001, Tom Sevy wrote:
Has anyone else seen this? I am seeing a handful of these, from internal machines, sometimes going to other segments in the network as well as to outside systems (web servers). Generated by ACID v0.9.6b13 on Thu September 27, 2001 16:33:32 ---------------------------------------------------------------------------- -- #(4 - 58002) [2001-09-27 15:37:22] WEB-IIS cmd.exe Out IPv4: 192.xxx.xx.xx -> xxx.xx.x.xx hlen=5 TOS=0 dlen=217 ID=5482 flags=0 offset=0 TTL=128 chksum=27285 TCP: port=4850 -> dport: 80 flags=***AP*** seq=3028858 ack=2830731072 off=5 res=0 win=8490 urp=0 chksum=7675 Payload: length = 167 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35 5c..%5c..%5c..%5 020 : 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F cwinnt/system32/ 030 : 63 6D 64 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 20 cmd.exe?/c+echo 040 : 65 45 79 65 49 73 54 68 65 42 65 73 74 20 49 73 eEyeIsTheBest Is 050 : 54 68 65 42 65 73 74 20 48 54 54 50 2F 31 2E 31 TheBest HTTP/1.1 060 : 0D 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 55 73 ..Host: eeye..Us 070 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent: Mozill 080 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0 (compatibl 090 : 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 57 69 e; MSIE 5.01; Wi 0a0 : 6E 64 6F 77 73 20 4E ndows N
Looks like that's the eEye Nimda scanner. Grab a copy from http://www.eeye.com/ and check the scan. I could be crackheaded here, but... Lemme dig up some email from the incidents list. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- eEyeIsTheBest seen in http? Tom Sevy (Sep 27)
- Re: eEyeIsTheBest seen in http? Erek Adams (Sep 27)
- Re: eEyeIsTheBest seen in http? niceshorts (Sep 27)
- <Possible follow-ups>
- RE: eEyeIsTheBest seen in http? Steve Halligan (Sep 27)