RE: Strange scan and port 80 output from an ip

Mon, 13 May 2002 10:47:31 -0700 

I would guess that there is a script kiddy now in control of the box. He is
probably using an automatic tool to search for a certain known vulnerability
in web servers by the 1000.

Due to the content of the web page being served by the host, my immediate
assumption (and remember kids, assumption is the mother of all f*&k-ups) is
that the host that scanned you has previously fallen to the exploit. It is
now "owned" by "sex0r" and the page is just to show of his great "l33tn3ss".
The host is  probably now doing all his dirty work of scanning ip's by the
1000.

        Just my immediate thoughts, please take with a pintch of salt.

Best Regards

Nard.

[EMAIL PROTECTED]



-----Original Message-----
From: KoRe MeLtDoWn [mailto:[EMAIL PROTECTED]] 
Sent: 09 May 2002 07:38
To: [EMAIL PROTECTED]
Subject: Strange scan and port 80 output from an ip


Hello,
Just a few minutes ago I recieved a scan from the ip address 210.101.95.51 
on port 80 with the source port being port 3021. Two seperate connection 
attempts were logged one after the other.
The output from my firewall was as follows:
----Start Output----
IP: 210.101.95.51
Node: ±èâÁØ
NetBIOS: ±èà            
Group: WORKGROUP
MAC: 000102FBE16B
DNS: ±èâÁØ
----End Output----
If you connect to this Ip on port 80 you get a webpage output that reads the

following:sex0r lowd l33tn3ss

sex0r geeklab.org

contact:[EMAIL PROTECTED]


The reason I've posted this is because I have been scanned by these people 
before, and wanted to know what they were about, and if possible what they 
were attempting to do on my machine.

Thanks in advance for your help

Peter Francis

-= KoRe WoRkS =- Internet Security
Owner Operator
http://www.koreworks.com/
New Zealand

Is your box REALLY secure?




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

Reply via email to