Perhaps a little more detail would be helpful. Maybe sending along the GET or POST attempts or webserver log entries?
> -----Original Message----- > From: VanMeter, John [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 9:14 AM > To: Incidents (E-mail); SECURITY-BASICS (E-mail) > Subject: Has anyone seen this pattern? > > > Interesting Pattern... if you look at the below information > you can see two > things. > 1. All IP address start in the 199.x.x.x > 2. the attacks use the same 13 attempted HTTP Attacks and 14 > Suspicious URL > The only different one was 199.111.x.x which used 26 HTTP > Attacks and 26 > Suspicious URL. > > 13 Oct 2001 > > 199.219.x.x > 13 Attempted HTTP Attack > 14 Suspicious URL > > 199.104.x.x > 13 Attempted HTTP Attack > 14 Suspicious URL > > 199.203.x.x > 13 Attempted HTTP Attack > 14 Suspicious URL > > 199.111.x.x > 26 Attempted HTTP Attack > 26 Suspicious URL > > 16 Oct 2001 > > 199.227.x.x > 13 Attempted HTTP Attack > 14 Suspicious URL > > > Has anyone else seen this? > Thank You, > John van Meter > Security Administrator > > Nothing is fool-proof to a sufficiently talented fool > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >
