[Intrusions] Distributed scan
sekure
sekure at gmail.com
Mon Jul 12 18:55:18 GMT 2004
Looking over some log files, check out this distributed scan i got hit
with over the weekend. Snort caught most of it, the rest i had to fish
out of httpd logs. I count 10 different sources, all connecting to my
server within 30 seconds, making similar requests... My guess: this is
someone utilizing a botnet to do distributed scans.:
212.174.111.110 - - [10/Jul/2004:20:07:02 -0400] "POST
/cgi-bin/sendform.cgi HTTP/1.0" 404 5540
200.62.136.145 - - [10/Jul/2004:20:07:03 -0400] "POST
/cgi-bin/formmail.pl HTTP/1.0" 404 5540
148.244.150.52 - - [10/Jul/2004:20:07:04 -0400] "POST
/cgi-bin/contact.cgi HTTP/1.0" 404 5540
209.184.108.162 - - [10/Jul/2004:20:07:08 -0400] "POST
/cgi-bin/mailform.pl HTTP/1.0" 404 5540
209.26.56.10 - - [10/Jul/2004:20:07:16 -0400] "POST
/cgi-bin/formmail.cgi HTTP/1.0" 404 5540
213.149.103.76 - - [10/Jul/2004:20:07:18 -0400] "POST
/cgi-bin/FormMail.pl HTTP/1.0" 404 5540
80.65.103.231 - - [10/Jul/2004:20:07:19 -0400] "POST /mail.cgi
HTTP/1.0" 404 5540
207.248.159.253 - - [10/Jul/2004:20:07:23 -0400] "POST
/cgi-bin/fmail.pl HTTP/1.0" 404 5540
66.68.229.28 - - [10/Jul/2004:20:07:32 -0400] "POST /cgi-bin/form.cgi
HTTP/1.1" 404 5540
80.65.103.231 - - [10/Jul/2004:20:07:33 -0400] "POST
/cgi-bin/contact.pl HTTP/1.0" 404 5540
207.156.61.10 - - [10/Jul/2004:20:07:34 -0400] "POST /cgi/formmail
HTTP/1.0" 404 5540
More information about the Intrusions
mailing list