More weird stuff beginning, we see some HTTP GETs which contains these information :
Accept: */* Host: website.domain.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) -------: ----:---------------------- ----------: ----- We got this via tcpdump There is no other HTTP information. 2 headers are "hidden" and replaced with "-" char. It looks like a bot (GET many times on many pages) and the source is in this block : 81.62.0.0 - 81.62.255.255 BLUEWINNET which is not the same as the one used for our attack yesterday. Any thoughts on these "hidden" HTTP headers ? Thanks again --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : [EMAIL PROTECTED] Cl� publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ----- Original Message ----- From: "Maxime Ducharme" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 1:40 PM Subject: Need help to find web server attacks signature > Hi all, > i'd need help to identify an attack that happened on one of our > customer's web server yesterday, I put the log file here : > http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt > > I see some attacks that seem to be a security scanner tool, > and some attacks which targets specific pages of the web site > (where we begin to see 200 responses from the web server). > > Someone recognize a tool / virus / worm in this ? > > Thanks in advance for help > > --------------------------------------------------------------- > Maxime Ducharme > Administrateur reseau, Programmeur > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
