[Intrusions] Distributed scan
skip1 at duckwall.net
skip1 at duckwall.net
Tue Jul 13 19:22:09 GMT 2004
sounds like the same topic from the handler's diary:
http://isc.sans.org/diary.php?date=2004-07-06
http://isc.sans.org/diary.php?date=2004-07-07
If you have something else, you could talk with them...
Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
skip at duckwall d0t net
On Mon, 12 Jul 2004, sekure wrote:
> Looking over some log files, check out this distributed scan i got hit
> with over the weekend. Snort caught most of it, the rest i had to fish
> out of httpd logs. I count 10 different sources, all connecting to my
> server within 30 seconds, making similar requests... My guess: this is
> someone utilizing a botnet to do distributed scans.:
>
> 212.174.111.110 - - [10/Jul/2004:20:07:02 -0400] "POST
> /cgi-bin/sendform.cgi HTTP/1.0" 404 5540
> 200.62.136.145 - - [10/Jul/2004:20:07:03 -0400] "POST
> /cgi-bin/formmail.pl HTTP/1.0" 404 5540
> 148.244.150.52 - - [10/Jul/2004:20:07:04 -0400] "POST
> /cgi-bin/contact.cgi HTTP/1.0" 404 5540
> 209.184.108.162 - - [10/Jul/2004:20:07:08 -0400] "POST
> /cgi-bin/mailform.pl HTTP/1.0" 404 5540
> 209.26.56.10 - - [10/Jul/2004:20:07:16 -0400] "POST
> /cgi-bin/formmail.cgi HTTP/1.0" 404 5540
> 213.149.103.76 - - [10/Jul/2004:20:07:18 -0400] "POST
> /cgi-bin/FormMail.pl HTTP/1.0" 404 5540
> 80.65.103.231 - - [10/Jul/2004:20:07:19 -0400] "POST /mail.cgi
> HTTP/1.0" 404 5540
> 207.248.159.253 - - [10/Jul/2004:20:07:23 -0400] "POST
> /cgi-bin/fmail.pl HTTP/1.0" 404 5540
> 66.68.229.28 - - [10/Jul/2004:20:07:32 -0400] "POST /cgi-bin/form.cgi
> HTTP/1.1" 404 5540
> 80.65.103.231 - - [10/Jul/2004:20:07:33 -0400] "POST
> /cgi-bin/contact.pl HTTP/1.0" 404 5540
> 207.156.61.10 - - [10/Jul/2004:20:07:34 -0400] "POST /cgi/formmail
> HTTP/1.0" 404 5540
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list