On Thu, 15 Nov 2001 12:39:32 -0500
user
Hello,
Just checking in here. I am curious, I saw a post earlier regarding whisker scans. Here, our servers are getting hit by the same type of thing. IDS 296 -w- snort. It has only been during the last several days that we have had this activity.
One followed with an IIS_ISAPI buffer overflow, and was preceded by some spoofed traceroute activity. Got another from some korean address that didn't resolve. All seem to check their sploit after, as I get some connect attempts, so it looks like a script or another worm maybe? Strange thing is that apaches default logging doesn't pick this up at all, even the post whisker connects...
Has anyone else seen this activity?
I get all sorts of crap like this everyday, as I'm sure do most of the people on this list. It is not unusual that apace doesn't see alot of this traffic, as apache is only ever going to log traffic that hits it's port, not other parts of the machine. If you check /var/log/httpd/access_log I'm sure you will see the iis overflow attempts etc listed there. You will not of course see the traceroute info etc, but that of course is why you are running snort... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com