Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: Re: Bounced Message (Mod FWD)

Re: Bounced Message (Mod FWD)

From: Dug Song <dugsong_at_monkey.org>
Date: Wed, 17 May 2000 03:07:28 -0400 (EDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
On Mon, 15 May 2000, Network Security wrote:

> i have been seeing several instances of this with my ids, i think it
> maybe napster/gnutella activity, but what concerns me is why is
> "/etc/passwd" referenced within the traffic? is this some sort of
> napster/gnutella exploit?
>
> '/etc/passwd'P1%~'A$O_at_N!O2K.0W Z<'P;30F!Id]_'4_at_0frank
> blacka'PP@`SCEP.&Eerin

probably just a random gnutella query. see for yourself:

        http://www.monkey.org/~dugsong/tmp/gnutsniff.c.txt

this isn't to discount the possibility of a real gnutella exploit, though
- see Seth McGann's recent BUGTRAQ post for some background info. i also
have a 'gnutsmurf' program i'm not releasing, but you get the idea...

-d.

http://www.monkey.org/~dugsong/
Received on May 17 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]