[Dshield] New one?

Johannes B. Ullrich jullrich at euclidian.com
Wed Oct 17 14:09:45 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


It kind of looks like a vulnerability scanner, maybe nessus? I don't
remember a code red / nimda variant that uses that many vulnerabilities.

The interesting part is that it has a valid broweser ID (MSIE 5.01). Not
sure if nessus does that or not.

The source IP is most likely real, as all this requires a full three way
handshake. It is assigned to 'Solar Internet' in Brasilia, Brasil.

>
> this log-entrys i found today on a Apache virtual-Webserver of my company.
> Sorry, the lines are very long, but all different...
>
> Is this a new "Code Red" or something?
> It looks not like the "normal" CR or Nimda to me.
>
> The "Attacking-IP" is located in Brasil(if it is the real :-) ), we are in Germany.
>
> Best regards,
>
> Martin Mueller
>
>
> 200.199.211.50 - - [17/Oct/2001:08:10:28 +0200] "GET
> /msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir%20c:\
> HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
.........


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7zZErVOIizK5pIDMRAoA0AJ9J3kjfQ8mt8sgaNAxwnTTBJ+rQdwCgyGry
EA1c2TgWVf3vORj08ammCVg=
=WNoh
-----END PGP SIGNATURE-----




More information about the list mailing list