[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Need help to find web server attacks signature

To: "Schmehl, Paul L" <pauls@utdallas.edu>, <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Need help to find web server attacks signature
From: "Maxime Ducharme" <maxime@pandore-design.com>
Date: Wed, 22 Oct 2003 17:15:28 -0400

I'm currently seeing this scenario :

1. the person get on the web site with his browser (ie6 on xp)
we see some valid GETs at the beginning

2. the person ran one of these tools :
    Nikto : http://www.cirt.net/code/nikto.shtml
    Whisker : http://sourceforge.net/projects/whisker/
    N-Stealth : http://www.nstalker.com/nstealth/
    Retina:  http://www.eeye.com/html/Products/Retina/
   another...

3. The person retry the website to get some URLs
we see some other valid GETs further

4. the person either ran another tools on specific URLs like
Paul just said



The source IP isnt listed in DShield or mynetwatchman

The server doesnt show any weird behavior, neither have
weird traffic going on

We are thinking URLScan did a good job :)

Thanks all for your replies

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur


----- Original Message ----- 
From: "Schmehl, Paul L" <pauls@utdallas.edu>
To: "Maxime Ducharme" <maxime@pandore-design.com>;
<full-disclosure@lists.netsys.com>
Sent: Wednesday, October 22, 2003 4:05 PM
Subject: RE: [Full-Disclosure] Need help to find web server attacks
signature


> > -----Original Message-----
> > From: Maxime Ducharme [mailto:maxime@pandore-design.com]
> > Sent: Wednesday, October 22, 2003 12:40 PM
> > To: full-disclosure@lists.netsys.com
> > Subject: [Full-Disclosure] Need help to find web server
> > attacks signature
> >
> >
> > Hi all,
> >     i'd need help to identify an attack that happened on one
> > of our customer's web server yesterday, I put the log file
> > here :
> > http://www.pandore-design.com/security/2003-10-21-IIS-attack.t
> xt
>
> Looks like a vuln scanner that's designed to try a number of default
> install mistakes to see if anything works.  The previous poster may be
> correct that it was NIKTO.  Could also be whisker or stealth.
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Need help to find web server attacks signature
  - From: "Schmehl, Paul L" <pauls@utdallas.edu>

Prev by Date: Re: [Full-Disclosure] RE: Linux (in)security
Next by Date: Re: [Full-Disclosure] RE: Linux (in)security
Previous by thread: RE: [Full-Disclosure] Need help to find web server attacks signature
Next by thread: [Full-Disclosure] Re: Need help to find web server attacks signature
Index(es):
- Date
- Thread