[Dshield] RE: GET /invalidfilename.htm

James C. Slora, Jr. Jim.Slora at phra.com
Tue Jul 2 15:09:51 GMT 2002


Paul Marsh wrote on Tue, 2 Jul 2002 08:52:02 -0400 :

>Has anyone else seen the following in there logs?  Sorry for the lengthy
log
>snippet but it's two attacks.

> 2002-07-01 14:58:07 217.82.44.2 - GET /invalidfilename.htm - 404 604 59 0
80
<snip>

I have gotten a couple of these lengthy HTTP vulnerability scans, but not in
the past few days. NESSUS (from www.nessus.org) was the product probably
used against my systems. These big loud scans have usually been from hosts
that have not scanned others (at least DShield has listed them as "clean").
The people who scanned me pinged each network host then scanned all live
hosts after waiting a few hours.

A NESSUS scan would most likely be a recon effort. The attacker would look
at the results of the scan, and decide whether the results indicate that
vulnerabilities exist. This might be followed by an exploit attempt later.
Or it could just be someone playing with NESSUS or some other scanner for no
reason at all.

- Jim




More information about the list mailing list