Hosting Provided By

New scanner?

From: Jeremy <prrthd25(at)yahoo.com>
Date: Wed Nov 20 2002 - 10:29:57 EST

Hello all,

My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following:

1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE
1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access
2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization)
6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access

This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts.

Thanks,
Jeremy

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Nov 21 20:18:46 2002

This message: [ Message body ]
Next message: Don Voss: "Re: FTP and Win2K changed security policy"
Previous message: Othenin-Girard Pascal: "RE: Proxy server hit... Any ideas?"
Next in thread: newsletters: "RE: New scanner?"
Reply: newsletters: "RE: New scanner?"
Reply: Russell Fulton: "Re: New scanner?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT