.

Scanning activity?

<<

onlyspfc

Newbie
Newbie

Posts: 2

Joined: Wed Dec 10, 2008 4:45 pm

Post Thu Feb 03, 2011 11:24 am

Scanning activity?

I am curious to see if anyone recognizes this attack/scanning pattern.
I found this activity on windows logs on one particular instance, and after some research I found this code on some websites as well.. would anyone be familiar with this pattern?
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Feb 03, 2011 11:31 am

Re: Scanning activity?

It looks like a Nessus scan to me. First off, they're trying Linux commands on a Windows machine, so.....Secondly, halfway through the log you find http://rfi.nessus.org/rfi.txt which identifies it as a Nessus scan.

This is the contents of that file:

<?php
# NessusFileIncludeTest
echo base64_decode("TmVzc3VzQ29kZUV4ZWNUZXN0")."\n\n";
echo "'id' output: ";
system("id");
php?>
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

onlyspfc

Newbie
Newbie

Posts: 2

Joined: Wed Dec 10, 2008 4:45 pm

Post Thu Feb 03, 2011 11:47 am

Re: Scanning activity?

I know it includes a NESSUS file, but if it is a Nessus scan, would you have any idea what templated scan or vulnerability policy that activity could fall under? I have Nessus Security Center and can't seem to be able to replicate that scan.

Thanks for the reply btw!
Last edited by onlyspfc on Thu Feb 03, 2011 11:50 am, edited 1 time in total.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software