[Dshield] Unusual log activity - any ideas?

Johannes B. Ullrich jullrich at sans.org
Wed May 1 15:11:57 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This kind of reminds me of the sadmin worm. It used the older
NULL.printer vulnerability in IIS. (and a Solaris vulnerability.. was
kind of a neat multi OS worm).

But it could also be a random vulnerability scanner.

> xxx.xxx.xxx.xxx [03/Apr/2002:09:35:05 -0500] "HEAD
> /qweiop43809442fsfjflr.html HTTP/1.1" 404 0 "-" "Mozilla/5.0"
> xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:06 -0500] "GET /NULL.printer
> HTTP/1.1" 404 288 "-" "-"
> xxx.xxx.xxx.xxx - - [03/Apr/2002:09:35:06 -0500] "GET / HTTP/1.1" 200 761
> "-" "-"

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE80AW/wWQP+4im9DYRAgQvAKC53BgDyjaxFpKI1GTvWgx5FYClRQCeJIBv
WkHuzII0RXC8BHXVr/4ch2o=
=37gz
-----END PGP SIGNATURE-----




More information about the list mailing list