[Dshield] automated probe?

Bernhard Fuchs bf at coffeecrew.org
Wed May 14 11:37:38 GMT 2008


Hello Rick,

it is a probe for Frontpage Server Extensions, as you can see the fp30.reg.dll.
And the x90 is a noop and therefor looks like a Buffer Overflow.
It seems to be very old.
Check hxxp://www.securiteam.com/windowsntfocus/5JP0L1F4KM.html

b
----- "Rick Leir" <rdshield at leirtech.com> schrieb:

> The same someone is probing my apache every few days.  I can
> understand 
> a badguy probing once, but it seems to be automated.  What is
> happening 
> here?
> 
>  From my logwatch:
> 
> A total of 1 sites probed the server
>      69.155.29.160
>   Requests with error response codes
>      404 Not Found
>         /_vti_bin/_vti_aut/fp30reg.dll: 1 Time(s)
>      414 Request-URI Too Large
>         /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ ...
> x90\x90\x90\x90: 
> 1 Time(s)
> 
> ARIN whois:
> PPPoX Pool - Bras2 stlsmo 062104-1903.615166 
> SBC06915502800023040926182104 (NET-69-155-28-0-1)
>                                    69.155.28.0 - 69.155.29.255


More information about the list mailing list