[Dshield] automated probe?
Bernhard Fuchs
bf at coffeecrew.org
Wed May 14 11:37:38 GMT 2008
Hello Rick,
it is a probe for Frontpage Server Extensions, as you can see the fp30.reg.dll.
And the x90 is a noop and therefor looks like a Buffer Overflow.
It seems to be very old.
Check hxxp://www.securiteam.com/windowsntfocus/5JP0L1F4KM.html
b
----- "Rick Leir" <rdshield at leirtech.com> schrieb:
> The same someone is probing my apache every few days. I can
> understand
> a badguy probing once, but it seems to be automated. What is
> happening
> here?
>
> From my logwatch:
>
> A total of 1 sites probed the server
> 69.155.29.160
> Requests with error response codes
> 404 Not Found
> /_vti_bin/_vti_aut/fp30reg.dll: 1 Time(s)
> 414 Request-URI Too Large
> /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ ...
> x90\x90\x90\x90:
> 1 Time(s)
>
> ARIN whois:
> PPPoX Pool - Bras2 stlsmo 062104-1903.615166
> SBC06915502800023040926182104 (NET-69-155-28-0-1)
> 69.155.28.0 - 69.155.29.255
More information about the list
mailing list