[Snort-users] eEyeIsTheBest seen in http?

Erek Adams erek at ...577...
Thu Sep 27 13:54:03 EDT 2001


On Thu, 27 Sep 2001, Tom Sevy wrote:

> Has anyone else seen this?
>
> I am seeing a handful of these, from internal machines, sometimes going to
> other segments in the network as well as to outside systems (web servers).
>
>
> Generated by ACID v0.9.6b13 on Thu September 27, 2001 16:33:32
>
> ----------------------------------------------------------------------------
> --
> #(4 - 58002) [2001-09-27 15:37:22]  WEB-IIS cmd.exe Out
> IPv4: 192.xxx.xx.xx -> xxx.xx.x.xx
>       hlen=5 TOS=0 dlen=217 ID=5482 flags=0 offset=0 TTL=128 chksum=27285
> TCP:  port=4850 -> dport: 80  flags=***AP*** seq=3028858
>       ack=2830731072 off=5 res=0 win=8490 urp=0 chksum=7675
> Payload:  length = 167
>
> 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
> 010 : 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35   5c..%5c..%5c..%5
> 020 : 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F   cwinnt/system32/
> 030 : 63 6D 64 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 20   cmd.exe?/c+echo
> 040 : 65 45 79 65 49 73 54 68 65 42 65 73 74 20 49 73   eEyeIsTheBest Is
> 050 : 54 68 65 42 65 73 74 20 48 54 54 50 2F 31 2E 31   TheBest HTTP/1.1
> 060 : 0D 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 55 73   ..Host: eeye..Us
> 070 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
> 080 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
> 090 : 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 57 69   e; MSIE 5.01; Wi
> 0a0 : 6E 64 6F 77 73 20 4E                              ndows N

Looks like that's the eEye Nimda scanner.  Grab a copy from
http://www.eeye.com/ and check the scan.

I could be crackheaded here, but...  Lemme dig up some email from the
incidents list.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list