Hello, Just checking in here. I am curious, I saw a post earlier regarding whisker scans. Here, our servers are getting hit by the same type of thing. IDS 296 -w- snort. It has only been during the last several days that we have had this activity. One followed with an IIS_ISAPI buffer overflow, and was preceded by some spoofed traceroute activity. Got another from some korean address that didn't resolve. All seem to check their sploit after, as I get some connect attempts, so it looks like a script or another worm maybe? Strange thing is that apaches default logging doesn't pick this up at all, even the post whisker connects... Has anyone else seen this activity?
On Thu, 15 Nov 2001 12:39:32 -0500
user
Hello,
Just checking in here. I am curious, I saw a post earlier regarding whisker scans. Here, our servers are getting hit by the same type of thing. IDS 296 -w- snort. It has only been during the last several days that we have had this activity.
One followed with an IIS_ISAPI buffer overflow, and was preceded by some spoofed traceroute activity. Got another from some korean address that didn't resolve. All seem to check their sploit after, as I get some connect attempts, so it looks like a script or another worm maybe? Strange thing is that apaches default logging doesn't pick this up at all, even the post whisker connects...
Has anyone else seen this activity?
I get all sorts of crap like this everyday, as I'm sure do most of the people on this list. It is not unusual that apace doesn't see alot of this traffic, as apache is only ever going to log traffic that hits it's port, not other parts of the machine. If you check /var/log/httpd/access_log I'm sure you will see the iis overflow attempts etc listed there. You will not of course see the traceroute info etc, but that of course is why you are running snort... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Thu, 15 Nov 2001, Peter Nixon wrote:
I get all sorts of crap like this everyday, as I'm sure do most of the people on this list. It is not unusual that apace doesn't see alot of this traffic, as apache is only ever going to log traffic that hits it's port, not other parts of the machine. If you check /var/log/httpd/access_log I'm sure you will see the iis overflow attempts etc listed there. You will not of course see the traceroute info etc, but that of course is why you are running snort...
That, and the Nimda/CodeRed scans, have become so routine at my site that I've written a filter, named "whathappened", which lists only those lines of the access_log file that *don't* represent such requests. Each day, I use "whathappened" to look at the HTTP access log and find out if anyone's trying any *new* attacks. Also, the utilities that track webpage usage and web misses by grepping access_log are happier now that their input is piped through "whathappened". My site doesn't use cgi counters; there are more cgi exploits than I want to keep track of so I've disabled it. The page counts and miss counts get updated by a cron job that looks at the access log instead. Also, it's a nice reminder of what I need to work on on the website. Daily, I do "whathappened | grep 404 | tail" to find out the last few page misses on my site and go fix a couple. Bear
participants (3)
-
Peter Nixon
-
Ray Dillinger
-
user