[Dshield] (new?) IIS 'galaxy' vulnerability scanner ?

Greg Broiles gbroiles at parrhesia.com
Sat Jun 8 03:16:11 GMT 2002


At 09:01 PM 6/7/2002 -0400, you wrote:

>I had today three people notify me about a new, rather noisy, signature
>they found in their apache logs. Can everyone take a look at their logs
>and see if they find it? I don't think this qualifies as a 'worm' so far.
>It looks a bit too complex and overly redundant. But maybe it is some
>vulnerability scanner.
>
>Note the first Line: 'galaxy_10400.10746'. It looks like a marker someone
>added to the tool.

I saw something similar, although they visited me on May 13 and haven't 
been back.

My log excerpt is at <http://parrhesia.com/galaxy-scan.txt> so as not to 
clog up everyone's mail with boring log entries.

The first line was

209.195.62.146 - - [13/May/2002:16:44:41 -0700] "GET /galaxy_176172.176518 
HTTP/1.0" 404 286 "-" "-"

and there were 57 entries total. The log entries are PDT (GMT -7:00) and 
the system clock is synchronized every few hours to USNO time.


--
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961




More information about the list mailing list