lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <213201c398e1$9e62e250$c864a8c0@Maxime>
From: maxime at pandore-design.com (Maxime Ducharme)
Subject: Need help to find web server attacks signature

I'm currently seeing this scenario :

1. the person get on the web site with his browser (ie6 on xp)
we see some valid GETs at the beginning

2. the person ran one of these tools :
    Nikto : http://www.cirt.net/code/nikto.shtml
    Whisker : http://sourceforge.net/projects/whisker/
    N-Stealth : http://www.nstalker.com/nstealth/
    Retina:  http://www.eeye.com/html/Products/Retina/
   another...

3. The person retry the website to get some URLs
we see some other valid GETs further

4. the person either ran another tools on specific URLs like
Paul just said



The source IP isnt listed in DShield or mynetwatchman

The server doesnt show any weird behavior, neither have
weird traffic going on

We are thinking URLScan did a good job :)

Thanks all for your replies

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur


----- Original Message ----- 
From: "Schmehl, Paul L" <pauls@...allas.edu>
To: "Maxime Ducharme" <maxime@...dore-design.com>;
<full-disclosure@...ts.netsys.com>
Sent: Wednesday, October 22, 2003 4:05 PM
Subject: RE: [Full-Disclosure] Need help to find web server attacks
signature


> > -----Original Message-----
> > From: Maxime Ducharme [mailto:maxime@...dore-design.com]
> > Sent: Wednesday, October 22, 2003 12:40 PM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Need help to find web server
> > attacks signature
> >
> >
> > Hi all,
> >     i'd need help to identify an attack that happened on one
> > of our customer's web server yesterday, I put the log file
> > here :
> > http://www.pandore-design.com/security/2003-10-21-IIS-attack.t
> xt
>
> Looks like a vuln scanner that's designed to try a number of default
> install mistakes to see if anything works.  The previous poster may be
> correct that it was NIKTO.  Could also be whisker or stealth.
>
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ