HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 112 guests and 1 member online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Scanning activity?
EH-Net
May 26, 2012, 04:16:21 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Scanning activity?  (Read 2895 times)
0 Members and 2 Guests are viewing this topic.
onlyspfc
Newbie
*
Offline Offline

Posts: 2


View Profile
« on: February 03, 2011, 10:24:37 AM »
I am curious to see if anyone recognizes this attack/scanning pattern.
I found this activity on windows logs on one particular instance, and after some research I found this code on some websites as well.. would anyone be familiar with this pattern?
Logged
ziggy_567
Sr. Member
****
Offline Offline

Posts: 302


View Profile
« Reply #1 on: February 03, 2011, 10:31:59 AM »
It looks like a Nessus scan to me. First off, they're trying Linux commands on a Windows machine, so.....Secondly, halfway through the log you find http://rfi.nessus.org/rfi.txt which identifies it as a Nessus scan.

This is the contents of that file:

<?php
 # NessusFileIncludeTest
 echo base64_decode("TmVzc3VzQ29kZUV4ZWNUZXN0")."\n\n";
 echo "'id' output: ";
 system("id");
php?>
Logged
--
Ziggy


GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
onlyspfc
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #2 on: February 03, 2011, 10:47:33 AM »
I know it includes a NESSUS file, but if it is a Nessus scan, would you have any idea what templated scan or vulnerability policy that activity could fall under? I have Nessus Security Center and can't seem to be able to replicate that scan.

Thanks for the reply btw!
« Last Edit: February 03, 2011, 10:50:43 AM by onlyspfc » Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.128 seconds with 19 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.