15 Nov
2001
15 Nov
'01
17:39
Hello, Just checking in here. I am curious, I saw a post earlier regarding whisker scans. Here, our servers are getting hit by the same type of thing. IDS 296 -w- snort. It has only been during the last several days that we have had this activity. One followed with an IIS_ISAPI buffer overflow, and was preceded by some spoofed traceroute activity. Got another from some korean address that didn't resolve. All seem to check their sploit after, as I get some connect attempts, so it looks like a script or another worm maybe? Strange thing is that apaches default logging doesn't pick this up at all, even the post whisker connects... Has anyone else seen this activity?