Hosting Provided By

Re: New attack or old Vulnerability Scanner?

From: Mark Embrich <mark_embrich(at)yahoo.com>
Date: Tue Apr 29 2003 - 14:34:03 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468@us.ibm.com>

Hello Jason,

Thanks for your help.

>Can you post (or provide a link) to the full tcpdump traces for this scan

The full tcpdump trace is quite long, about 1.7MB per attack, so I can't post it here. It would be a real pain-in-the-ass to sanitize it, so I don't really want to post or distribute it anyway. If you really, really want to take a look at it, I can sanitize it and email it to you directly.

>When you say TCP connect, I assume you mean that you saw a simple
this
>was an IIS server?

I mean a simple connection to the port, not a HEAD or GET. This attack didn't care that I was not running IIS.

I also did not see a ping sweep prior to the attacks, although I only checked up to 2 hours earlier.

Thank you,
Mark Embrich

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

Received on Tue Apr 29 19:16:40 2003

Do you need help?

This message: [ Message body ]
Next message: Dan Hanson: "Administrivia: SPAM control, vacation messages, and the like."
Previous message: Justin Pryzby: "Re: New CodeRed strain? -- UPDATE"
In reply to Jason Falciola: "Re: New attack or old Vulnerability Scanner?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT