[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: What tool is this?!?! (long)
From: Ronnie Clark <ronj_clark () yahoo ! com>
Date: 2002-01-30 21:55:18
[Download RAW message or body]
Hello all,
I saw this pop up in our logs, and was wondering
what tool this person might be using. Here are some
instances:
< 1st log snip >
2002/01/30-13:08:12.288100 172.189.108.2 > x.y.z.1:
icmp: echo request
2002/01/30-13:08:17.748266 172.189.108.2 > x.y.z.1:
icmp: echo request
2002/01/30-13:08:22.778419 172.189.108.2 > x.y.z.1:
icmp: echo request
2002/01/30-13:08:22.778419 172.189.108.2.4133 >
x.y.z.1.79: S 3092150293:3092150293(0) win 8160 (DF)
2002/01/30-13:08:22.838420 172.189.108.2.4134 >
x.y.z.1.25: S 3092229938:3092229938(0) win 8160 (DF)
2002/01/30-13:08:22.928423 172.189.108.2.4135 >
x.y.z.1.34567: S 3092295715:3092295715(0) win 8160
(DF)
2002/01/30-13:08:22.978425 172.189.108.2.4136 >
x.y.z.1.79: S 3092369878:3092369878(0) win 8160 (DF)
2002/01/30-13:08:23.058427 172.189.108.2.4137 >
x.y.z.1.79: S 3092404326:3092404326(0) win 8160 (DF)
2002/01/30-13:08:23.138430 172.189.108.2.4138 >
x.y.z.1.79: S 3092467091:3092467091(0) win 8160 (DF)
2002/01/30-13:08:23.218432 172.189.108.2.4139 >
x.y.z.1.23: S 3092547968:3092547968(0) win 8160 (DF)
2002/01/30-13:08:23.298434 172.189.108.2.4140 >
x.y.z.1.111: S 3092638269:3092638269(0) win 8160 (DF)
2002/01/30-13:08:23.378437 172.189.108.2.4141 >
x.y.z.1.445: S 3092697586:3092697586(0) win 8160 (DF)
2002/01/30-13:08:23.398437 172.189.108.2.4143 >
x.y.z.1.139: S 3092788143:3092788143(0) win 8160 (DF)
2002/01/30-13:08:23.438439 172.189.108.2.4144 >
x.y.z.1.80: S 3092849827:3092849827(0) win 8160 (DF)
2002/01/30-13:08:23.438439 x.y.z.1.80 >
172.189.108.2.4144: S 1731465274:1731465274(0) ack
3092849828 win 9520 (DF)
2002/01/30-13:08:23.508441 172.189.108.2.4145 >
x.y.z.1.1433: S 3092928008:3092928008(0) win 8160
(DF)
2002/01/30-13:08:23.588443 172.189.108.2.4146 >
x.y.z.1.80: S 3092993382:3092993382(0) win 8160 (DF)
2002/01/30-13:08:23.588443 x.y.z.1.80 >
172.189.108.2.4146: S 3360850337:3360850337(0) ack
3092993383 win 29200 (DF)
2002/01/30-13:08:23.678446 172.189.108.2.4147 >
x.y.z.1.80: S 3093044082:3093044082(0) win 8160 (DF)
2002/01/30-13:08:23.678446 x.y.z.1.80 >
172.189.108.2.4147: S 1831234381:1831234381(0) ack
3093044083 win 9520 (DF)
2002/01/30-13:08:23.738448 172.189.108.2.4148 >
x.y.z.1.53: S 3093131064:3093131064(0) win 8160 (DF)
2002/01/30-13:08:23.778449 172.189.108.2.4144 >
x.y.z.1.80: . ack 1731465275 win 8160 (DF)
2002/01/30-13:08:23.778449 172.189.108.2.4144 >
x.y.z.1.80: P 3092849828:3092849864(36) ack 1731465275
win 8160 (DF)
2002/01/30-13:08:23.778449 x.y.z.1.80 >
172.189.108.2.4144: . 1731465275:1731466635(1360) ack
3092849864 win 9484 (DF)
2002/01/30-13:08:23.778449 x.y.z.1.80 >
172.189.108.2.4144: . 1731466635:1731467995(1360) ack
3092849864 win 9484 (DF)
2002/01/30-13:08:23.798450 172.189.108.2.4149 >
x.y.z.1.3306: S 3093205289:3093205289(0) win 8160
(DF)
2002/01/30-13:08:23.938454 172.189.108.2.4146 >
x.y.z.1.80: . ack 3360850338 win 8160 (DF)
2002/01/30-13:08:23.938454 172.189.108.2.4146 >
x.y.z.1.80: P 3092993383:3092993471(88) ack 3360850338
win 8160 (DF)
2002/01/30-13:08:23.938454 x.y.z.1.80 >
172.189.108.2.4146: P 3360850338:3360850500(162) ack
3092993471 win 29112 (DF)
2002/01/30-13:08:23.938454 x.y.z.1.80 >
172.189.108.2.4146: F 3360850500:3360850500(0) ack
3092993471 win 29112 (DF)
2002/01/30-13:08:23.998456 172.189.108.2.4147 >
x.y.z.1.80: . ack 1831234382 win 8160 (DF)
2002/01/30-13:08:24.018456 172.189.108.2.4147 >
x.y.z.1.80: P 3093044083:3093044130(47) ack 1831234382
win 8160 (DF)
2002/01/30-13:08:24.038457 x.y.z.1.80 >
172.189.108.2.4147: P 1831234382:1831235005(623) ack
3093044130 win 9473 (DF)
2002/01/30-13:08:24.038457 x.y.z.1.80 >
172.189.108.2.4147: F 1831235005:1831235005(0) ack
3093044130 win 9473 (DF)
2002/01/30-13:08:24.518472 172.189.108.2.4144 >
x.y.z.1.80: R 3092849864:3092849864(0) win 0 (DF)
2002/01/30-13:08:24.518472 172.189.108.2.4150 >
x.y.z.1.80: S 3093431718:3093431718(0) win 8160 (DF)
2002/01/30-13:08:24.518472 x.y.z.1.80 >
172.189.108.2.4150: S 3622867304:3622867304(0) ack
3093431719 win 29200 (DF)
2002/01/30-13:08:24.648475 172.189.108.2.4144 >
x.y.z.1.80: R 3092849864:3092849864(0) win 0
2002/01/30-13:08:24.678476 172.189.108.2.4146 >
x.y.z.1.80: . ack 3360850501 win 7998 (DF)
2002/01/30-13:08:24.698477 172.189.108.2.4146 >
x.y.z.1.80: F 3092993471:3092993471(0) ack 3360850501
win 7998 (DF)
2002/01/30-13:08:24.698477 172.189.108.2.4151 >
x.y.z.1.80: S 3093529045:3093529045(0) win 8160 (DF)
2002/01/30-13:08:24.698477 x.y.z.1.80 >
172.189.108.2.4146: . ack 3092993472 win 29112 (DF)
2002/01/30-13:08:24.698477 x.y.z.1.80 >
172.189.108.2.4151: S 2324190091:2324190091(0) ack
3093529046 win 9520 (DF)
2002/01/30-13:08:24.718478 172.189.108.2.4147 >
x.y.z.1.80: . ack 1831234382 win 8160 (DF)
2002/01/30-13:08:24.808480 172.189.108.2.4147 >
x.y.z.1.80: . ack 1831235006 win 7537 (DF)
2002/01/30-13:08:24.838481 172.189.108.2.4147 >
x.y.z.1.80: R 3093044130:3093044130(0) win 0 (DF)
2002/01/30-13:08:24.868482 172.189.108.2.4150 >
x.y.z.1.80: . ack 3622867305 win 8160 (DF)
2002/01/30-13:08:24.868482 172.189.108.2.4150 >
x.y.z.1.80: P 3093431719:3093431768(49) ack 3622867305
win 8160 (DF)
2002/01/30-13:08:24.918484 x.y.z.1.80 >
172.189.108.2.4150: . 3622867305:3622868665(1360) ack
3093431768 win 29151 (DF)
2002/01/30-13:08:24.918484 x.y.z.1.80 >
172.189.108.2.4150: P 3622868665:3622869394(729) ack
3093431768 win 29151 (DF)
2002/01/30-13:08:25.038487 172.189.108.2.4151 >
x.y.z.1.80: . ack 2324190092 win 8160 (DF)
2002/01/30-13:08:25.038487 172.189.108.2.4151 >
x.y.z.1.80: P 3093529046:3093529082(36) ack 2324190092
win 8160 (DF)
2002/01/30-13:08:25.038487 x.y.z.1.80 >
172.189.108.2.4151: . 2324190092:2324191452(1360) ack
3093529082 win 9484 (DF)
2002/01/30-13:08:25.038487 x.y.z.1.80 >
172.189.108.2.4151: . 2324191452:2324192812(1360) ack
3093529082 win 9484 (DF)
2002/01/30-13:08:25.478501 172.189.108.2.4150 >
x.y.z.1.80: R 3093431768:3093431768(0) win 0 (DF)
2002/01/30-13:08:25.478501 172.189.108.2.4152 >
x.y.z.1.80: S 3093766615:3093766615(0) win 8160 (DF)
2002/01/30-13:08:25.478501 x.y.z.1.80 >
172.189.108.2.4152: S 3262730489:3262730489(0) ack
3093766616 win 29200 (DF)
2002/01/30-13:08:25.588504 172.189.108.2.4133 >
x.y.z.1.79: S 3092150293:3092150293(0) win 8160 (DF)
-----------------------------------------------------
< 2nd snip of logs >
2002/01/30-13:08:31.828693 172.189.108.2.4201 >
x.y.z.1.80: S 3096905862:3096905862(0) win 8160 (DF)
2002/01/30-13:08:31.828693 172.189.108.2.4135 >
x.y.z.1.34567: S 3092295715:3092295715(0) win 8160
(DF)
2002/01/30-13:08:31.938697 172.189.108.2.4202 >
x.y.z.1.80: S 3096972330:3096972330(0) win 8160 (DF)
2002/01/30-13:08:31.938697 172.189.108.2.4203 >
x.y.z.1.80: S 3097035121:3097035121(0) win 8160 (DF)
2002/01/30-13:08:31.938697 172.189.108.2.4137 >
x.y.z.1.79: S 3092404326:3092404326(0) win 8160 (DF)
2002/01/30-13:08:31.938697 172.189.108.2.4136 >
x.y.z.1.79: S 3092369878:3092369878(0) win 8160 (DF)
2002/01/30-13:08:32.038700 172.189.108.2.4204 >
x.y.z.1.80: S 3097100356:3097100356(0) win 8160 (DF)
2002/01/30-13:08:32.038700 172.189.108.2.4205 >
x.y.z.1.80: S 3097139674:3097139674(0) win 8160 (DF)
2002/01/30-13:08:32.038700 172.189.108.2.4206 >
x.y.z.1.80: S 3097200899:3097200899(0) win 8160 (DF)
2002/01/30-13:08:32.038700 172.189.108.2.4138 >
x.y.z.1.79: S 3092467091:3092467091(0) win 8160 (DF)
2002/01/30-13:08:32.038700 172.189.108.2.4207 >
x.y.z.1.80: S 3097265358:3097265358(0) win 8160 (DF)
2002/01/30-13:08:32.128703 172.189.108.2.4208 >
x.y.z.1.80: S 3097349052:3097349052(0) win 8160 (DF)
2002/01/30-13:08:32.128703 172.189.108.2.4209 >
x.y.z.1.80: S 3097414450:3097414450(0) win 8160 (DF)
2002/01/30-13:08:32.128703 172.189.108.2.4139 >
x.y.z.1.23: S 3092547968:3092547968(0) win 8160 (DF)
2002/01/30-13:08:32.238706 172.189.108.2.4211 >
x.y.z.1.80: S 3097540973:3097540973(0) win 8160 (DF)
2002/01/30-13:08:32.238706 172.189.108.2.4210 >
x.y.z.1.80: S 3097479303:3097479303(0) win 8160 (DF)
2002/01/30-13:08:32.238706 172.189.108.2.4212 >
x.y.z.1.80: S 3097599132:3097599132(0) win 8160 (DF)
2002/01/30-13:08:32.238706 172.189.108.2.4213 >
x.y.z.1.80: S 3097633826:3097633826(0) win 8160 (DF)
2002/01/30-13:08:32.238706 172.189.108.2.4140 >
x.y.z.1.111: S 3092638269:3092638269(0) win 8160 (DF)
2002/01/30-13:08:32.348709 172.189.108.2.4214 >
x.y.z.1.80: S 3097706082:3097706082(0) win 8160 (DF)
2002/01/30-13:08:32.348709 172.189.108.2.4215 >
x.y.z.1.80: S 3097751245:3097751245(0) win 8160 (DF)
2002/01/30-13:08:32.348709 172.189.108.2.4143 >
x.y.z.1.139: S 3092788143:3092788143(0) win 8160 (DF)
2002/01/30-13:08:32.348709 172.189.108.2.4141 >
x.y.z.1.445: S 3092697586:3092697586(0) win 8160 (DF)
2002/01/30-13:08:32.438712 172.189.108.2.4216 >
x.y.z.1.80: S 3097825671:3097825671(0) win 8160 (DF)
2002/01/30-13:08:32.438712 172.189.108.2.4217 >
x.y.z.1.80: S 3097858750:3097858750(0) win 8160 (DF)
2002/01/30-13:08:32.438712 172.189.108.2.4218 >
x.y.z.1.80: S 3097895637:3097895637(0) win 8160 (DF)
2002/01/30-13:08:32.438712 172.189.108.2.4219 >
x.y.z.1.80: S 3097960770:3097960770(0) win 8160 (DF)
2002/01/30-13:08:32.438712 172.189.108.2.4145 >
x.y.z.1.1433: S 3092928008:3092928008(0) win 8160
(DF)
2002/01/30-13:08:32.528715 172.189.108.2.4220 >
x.y.z.1.80: S 3098026780:3098026780(0) win 8160 (DF)
2002/01/30-13:08:32.528715 172.189.108.2.4221 >
x.y.z.1.80: S 3098086010:3098086010(0) win 8160 (DF)
2002/01/30-13:08:32.528715 172.189.108.2.4222 >
x.y.z.1.80: S 3098133147:3098133147(0) win 8160 (DF)
2002/01/30-13:08:32.628718 172.189.108.2.4223 >
x.y.z.1.80: S 3098211667:3098211667(0) win 8160 (DF)
2002/01/30-13:08:32.628718 172.189.108.2.4224 >
x.y.z.1.80: S 3098273586:3098273586(0) win 8160 (DF)
2002/01/30-13:08:32.628718 172.189.108.2.4225 >
x.y.z.1.80: S 3098307141:3098307141(0) win 8160 (DF)
2002/01/30-13:08:32.628718 172.189.108.2.4148 >
x.y.z.1.53: S 3093131064:3093131064(0) win 8160 (DF)
2002/01/30-13:08:32.728721 172.189.108.2.4226 >
x.y.z.1.80: S 3098368938:3098368938(0) win 8160 (DF)
2002/01/30-13:08:32.728721 172.189.108.2.4227 >
x.y.z.1.80: S 3098423838:3098423838(0) win 8160 (DF)
2002/01/30-13:08:32.728721 172.189.108.2.4149 >
x.y.z.1.3306: S 3093205289:3093205289(0) win 8160
(DF)
2002/01/30-13:08:32.818724 172.189.108.2.4228 >
x.y.z.1.80: S 3098487937:3098487937(0) win 8160 (DF)
2002/01/30-13:08:32.818724 172.189.108.2.4229 >
x.y.z.1.80: S 3098541843:3098541843(0) win 8160 (DF)
2002/01/30-13:08:32.928727 172.189.108.2.4230 >
x.y.z.1.80: S 3098613318:3098613318(0) win 8160 (DF)
2002/01/30-13:08:32.928727 172.189.108.2.4231 >
x.y.z.1.80: S 3098654677:3098654677(0) win 8160 (DF)
2002/01/30-13:08:32.928727 172.189.108.2.4232 >
x.y.z.1.80: S 3098699652:3098699652(0) win 8160 (DF)
2002/01/30-13:08:32.998729 172.189.108.2.4252 >
x.y.z.1.110: S 3100330848:3100330848(0) win 8160 (DF)
2002/01/30-13:08:33.018730 172.189.108.2.4233 >
x.y.z.1.80: S 3098763987:3098763987(0) win 8160 (DF)
2002/01/30-13:08:33.018730 172.189.108.2.4234 >
x.y.z.1.80: S 3098798064:3098798064(0) win 8160 (DF)
2002/01/30-13:08:33.068731 172.189.108.2.4253 >
x.y.z.1.143: S 3100417329:3100417329(0) win 8160 (DF)
2002/01/30-13:08:33.128733 172.189.108.2.4235 >
x.y.z.1.80: S 3098870616:3098870616(0) win 8160 (DF)
2002/01/30-13:08:33.128733 172.189.108.2.4236 >
x.y.z.1.80: S 3098926981:3098926981(0) win 8160 (DF)
2002/01/30-13:08:33.128733 172.189.108.2.4237 >
x.y.z.1.80: S 3098971706:3098971706(0) win 8160 (DF)
2002/01/30-13:08:33.148734 172.189.108.2.4254 >
x.y.z.1.21: S 3100498746:3100498746(0) win 8160 (DF)
2002/01/30-13:08:33.218736 172.189.108.2.4238 >
x.y.z.1.80: S 3099047905:3099047905(0) win 8160 (DF)
2002/01/30-13:08:33.218736 172.189.108.2.4239 >
x.y.z.1.80: S 3099094306:3099094306(0) win 8160 (DF)
-----------------------------------------------------
<Packets>
48 45 41 44 20 2F 2E 2E 2E 2E 2F 62 6F 6F 74 2E HEAD
/..../boot.
69 6E 69 20 20 20 20 20 20 20 20 20 20 20 20 20 ini
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20
HTTP/1.1.Host:
36 33 2E 38 39 2E 38 33 2E 31 0D 0A 55 73 65 72
x.y.z.1.User
2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F
-Agent: Mozilla/
35 2E 30 0D 0A 0D 0A 5.0
48 45 41 44 20 2F 2E 2E 5C 2E 2E 5C 2E 2E 5C 77 HEAD
/..\..\..\w
69 6E 6E 74 5C 72 65 70 61 69 72 5C 73 61 6D 2E
innt\repair\sam.
5F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 _
HTTP/1.1.Host
3A 20 36 33 2E 38 39 2E 38 33 2E 31 0D 0A 55 73 :
x.y.z.1.Us
65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C
er-Agent: Mozill
61 2F 35 2E 30 0D 0A 0D 0A
a/5.0
This person tried to get at the autoexec.bat file, and
the usual cmd.exe using a unicode attack.
Is this Nessus? Or some custom tool that was being
used? The IP address is AOL, so I do not expect any
sort of resolution, but I am going to try! So any help
is appreciated. Thanks in advance!
Ron Clark
__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic