new http scan?

Pat Wilson paw at
Fri Mar 22 19:03:43 GMT 2002

Hmm.  In the past two days we've started to see long http (IIS)
scans from several hosts.  They're all looking for a way to execute
cmd.exe, and seem to start with "GET /galaxy_<somerandomnum>" and
try to exploit a.asp, adsamples, PBServer, and Rpc as well as the
more usual directory traversal attacks.

Has anyone else seen this?  What's the "galaxy" bit about?


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

More information about the unisog mailing list