Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: CRv3? Or some other ida type

Re: CRv3? Or some other ida type

From: Jim Forster <jforster_at_rapidnet.com>
Date: Tue, 31 Jul 2001 17:04:32 -0600

Mike,
That's generated by Eeye's CodeRed scanner. - Someone is checking your
subnet for exploitable boxes, I'd say.
Snort rule = alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed";
dsize: >239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;)

Jim Forster
Network Administrator
RapidNet, A Golden West Company
--------------------------------------------------------
http://www.snort.org

----- Original Message -----
From: "Mike Baptiste" <mike_at_msbnetworks.com>
To: <incidents_at_securityfocus.com>
Sent: Tuesday, July 31, 2001 4:23 PM
Subject: CRv3? Or some other ida type

> So I've had my servers scanning for .ida probes
> (They're Apache - I'm just curious) Well, after
> 5PM EDT, I started to see a few probes that
> looked different than the Code Red probe
> (default.ida?NNN)
>
> Here's what I've seen so far:
>
> 136.176.193.XXX - - [31/Jul/2001:16:59:39 -
> 0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA=X HTTP/1.1" 404 280 "-" "-"
>
> [somehost].bradley.edu - - [31/Jul/2001:17:11:24 -
> 0400] "GET /x.ida?
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA=X HTTP/1.1" 404 211 "-" "-"
>
> The interesting thing is I'm getting probed twice
> by each host, about 2 minutes apart. Also, it
> must be doing random IP generation - I have
> servers on numerous sequential IPs, and I have
> not seen the probes mve from one IP to the next.
>
> The traffic has been light (less than 10 probes so
> far) but given its not even 8PM yet :) Just
> thought I'd post - this may be totally unrelated, but
> it might be CRv3 - so I figured I'd post.
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Aug 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos