What's the tool? (iis, ftp, 57/tcp)

["Scott A. McIntyre" <scott () xs4all net>]

I'm trying to identify whatever the tool is that seems to be annoying
our networks.  It has a number of characteristics, and seems to be
mostly aimed towards vulnerable Windows machines, but I'm making no
assumptions there.

Symptoms:

o  ICMP packets with payload of "hello ???"
o  IIS exploits ala Nimda style (and others)
o  FTP server testing for anonymous capabilities
o  TCP port 57 probing.


The IIS queries are along the lines of:

HEAD /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
HEAD /msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
HEAD /msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\

And so on.

FTP logs in as anonymous with password of "ano () ano com"

I'm not really sure what the 57/tcp is about however.

Anyone know what tool is?

Thanks,

Scott




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com