[Snort-users] eEyeIsTheBest seen in http?

niceshorts at ...131... niceshorts at ...131...
Thu Sep 27 15:16:02 EDT 2001


Tom Sevy hat geschrieben:

>Has anyone else seen this?
>
>I am seeing a handful of these, from internal machines, sometimes going to
>other segments in the network as well as to outside systems (web servers).
>
>
>
>Generated by ACID v0.9.6b13 on Thu September 27, 2001 16:33:32
>
>----------------------------------------------------------------------------
>--
>#(4 - 58002) [2001-09-27 15:37:22]  WEB-IIS cmd.exe Out
>IPv4: 192.xxx.xx.xx -> xxx.xx.x.xx   
>      hlen=5 TOS=0 dlen=217 ID=5482 flags=0 offset=0 TTL=128 chksum=27285
>TCP:  port=4850 -> dport: 80  flags=***AP*** seq=3028858
>      ack=2830731072 off=5 res=0 win=8490 urp=0 chksum=7675
>Payload:  length = 167
>
>000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
>010 : 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35   5c..%5c..%5c..%5
>020 : 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F   cwinnt/system32/
>030 : 63 6D 64 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 20   cmd.exe?/c+echo 
>040 : 65 45 79 65 49 73 54 68 65 42 65 73 74 20 49 73   eEyeIsTheBest Is
>050 : 54 68 65 42 65 73 74 20 48 54 54 50 2F 31 2E 31   TheBest HTTP/1.1
>060 : 0D 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 55 73   ..Host: eeye..Us
>070 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
>080 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
>090 : 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 57 69   e; MSIE 5.01; Wi
>0a0 : 6E 64 6F 77 73 20 4E                              ndows N

    This is eEye's free Retina scanner for Nimda.

    I wouldn't worry about it.

-- 
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.





More information about the Snort-users mailing list