[Dshield] Target list acquisition? Pre-deployment preparation?

Johannes Ullrich jullrich at euclidian.com
Fri Nov 8 02:42:30 GMT 2002

   We got quite a bit of 'anecdotal' evidence of some coordinated
scans that look like they try to collect target lists of exploitable
web servers. So far, I have seen at least three distinct probes 
being used:

- ssl exploit, attempt to run 'uname -a;w;id' to find out more about
  the server.
- chunked-encoding exploit, similar payload but also enumerating
  interfaces (ifconfig)
- IIS unicode attack trying to copy shell to scripts directory.

In order to connect the dots, it would be helpful for anybody to
take a quick look at their web logs for these or other similar
signatures. So far, I have not seen anybody reporting an actual 
exploit or code deployment following these scans. It would be
helpful to get a better list of the hosts these scans come from
to track them back to the source.

So if you have relevant information, post it here or send it to me
off-list. Don't send standard code-red/nimda probes. Just the 
'out of the ordinary' stuff.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021107/71474d88/attachment.bin

More information about the list mailing list