The Ethical Hacker Network - Scanning activity?

Latest Additions

Who's Online

EH-Net > Ethical Hacking Discussions and Related Certifications > Malware (Moderator: don) > Scanning activity?

Pages: [1] Go Down

« previous next »

	Author	Topic: Scanning activity? (Read 4438 times)
0 Members and 1 Guest are viewing this topic.

onlyspfc

Newbie

Offline

Posts: 2

Scanning activity?

« on: February 03, 2011, 10:24:37 AM »

I am curious to see if anyone recognizes this attack/scanning pattern.
I found this activity on windows logs on one particular instance, and after some research I found this code on some websites as well.. would anyone be familiar with this pattern?


	Logged

ziggy_567

Sr. Member

Offline

Posts: 361

Re: Scanning activity?

« Reply #1 on: February 03, 2011, 10:31:59 AM »

It looks like a Nessus scan to me. First off, they're trying Linux commands on a Windows machine, so.....Secondly, halfway through the log you find http://rfi.nessus.org/rfi.txt which identifies it as a Nessus scan.

This is the contents of that file:

<?php
# NessusFileIncludeTest
echo base64_decode("TmVzc3VzQ29kZUV4ZWNUZXN0")."\n\n";
echo "'id' output: ";
system("id");
php?>


	Logged

--
Ziggy

eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+

onlyspfc

Newbie

Offline

Posts: 2

Re: Scanning activity?

« Reply #2 on: February 03, 2011, 10:47:33 AM »

I know it includes a NESSUS file, but if it is a Nessus scan, would you have any idea what templated scan or vulnerability policy that activity could fall under? I have Nessus Security Center and can't seem to be able to replicate that scan.

Thanks for the reply btw!