[Dshield] Okay, I'm stumped.

van Niekerk Niel nielvanniekerk at oldmutual.com
Thu May 9 12:00:45 GMT 2002

I did some googling around this and found the following thread on a
discussion board:


Where Pat Wilson wrote:
"Hmm.  In the past two days we've started to see long http (IIS)
scans from several hosts.  They're all looking for a way to execute
cmd.exe, and seem to start with "GET /galaxy_<somerandomnum>" and
try to exploit a.asp, adsamples, PBServer, and Rpc as well as the
more usual directory traversal attacks."

In the last post in this thread there is a suggestion that it is a scan from
"White Hat Arsenal" I downloaded this and glanced through the scripts that
generate the scans... there doesn't seem to be a match between this and what
you are seeing (at least not in the version I downloaded [1.05-Beta]). So
there doesn't seem to be an answer to the question where this came from



The contents of this message and any attachments are 
intended solely for the addressee's use and may be legally 
privileged and/or confidential. If you are not the 
addressee indicated in this message, any retention,
distribution, copying or use of this message is strictly
prohibited. If you received this message in error, kindly
notify the sender immediately by reply e-mail and then
destroy the message and any copies thereof.

Opinions, conclusions and other information in this 
message must be understood as neither given nor 
endorsed by Old Mutual Banking Services and may be 
personal to the sender. Since e-mail communication
cannot be guaranteed to be secure, Old Mutual Banking
Services does not make any representation or give any 
guarantee concerning the confidentiality, security,
accuracy or completeness of any e-mail. Any liability for
viruses is excluded to the fullest extent permitted by law.


More information about the list mailing list