Apparently somebody is using Nessus; a penetration testing tool.
www.nessus.org
http://books.google.co.uk/books?id=vA8o2tMl04kC&pg=PA24&lpg=PA24&dq=X11,+U%3B+Nessus&source=web&ots=5Qjqe4pAew&sig=98sWrNlOvKz6Miur12r0_9YEtjM&hl=en&sa=X&oi=book_result&resnum=9&ct=result#PPA24,M1
On Sun, 1 Feb 2009 15:11:58 -0500 William Long wrote:
>
>
>I'm trying to review a .pcap of about 900 packets related to a school assignment
>in which the "suspect" machine probed and attempted to gain access to the
>"target". I see many packets in which the suspect tried to GET several files,
>all of which have the same name, but different file extensions. The target
>machine responded with "404 Not Found" messages. Later, the suspect tried
>to PUT and POST and HEAD files, also to no avail. Can anyone tell me whether
>or not these packets are part of an automated exploit being conducted by
>the "suspect"? Thanks, a sample of some of the packets is shown below:
>
>GET /IG0PMUq2YRoM.html HTTP/1.1
>Connection: Keep-Alive
>Host: 192.168.1.100
>Pragma: no-cache
>User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/*
>Accept-Language: en
>Accept-Charset: iso-8859-1,*,utf-8
>
>HTTP/1.1 404 Not Found
>Date: Wed, 05 Sep 2007 19:19:51 GMT
>Server: Apache/1.3.34 (Debian)
>Keep-Alive: timeout=15, max=99
>Connection: Keep-Alive
>Transfer-Encoding: chunked
>Content-Type: text/html; charset=iso-8859-1
>
>119
><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404
>Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /IG0PMUq2YRoM.html
>was not found on this server.<P><HR><ADDRESS>Apache/1.3.34 Server at 192.168.1.100
>Port 80</ADDRESS></BODY></HTML>
>0
>
>GET /IG0PMUq2YRoM.cgi HTTP/1.1
>Connection: Keep-Alive
>Host: 192.168.1.100
>Pragma: no-cache
>User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/*
>Accept-Language: en
>Accept-Charset: iso-8859-1,*,utf-8
>
>HTTP/1.1 404 Not Found
>Date: Wed, 05 Sep 2007 19:19:51 GMT
>Server: Apache/1.3.34 (Debian)
>Keep-Alive: timeout=15, max=98
>Connection: Keep-Alive
>Transfer-Encoding: chunked
>Content-Type: text/html; charset=iso-8859-1
>
>118
><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404
>Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /IG0PMUq2YRoM.cgi
>was not found on this server.<P><HR><ADDRESS>Apache/1.3.34 Server at 192.168.1.100
>Port 80</ADDRESS></BODY></HTML>
>0
>
>GET /IG0PMUq2YRoM.sh HTTP/1.1
>Connection: Keep-Alive
>Host: 192.168.1.100
>Pragma: no-cache
>User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/*
>Accept-Language: en
>Accept-Charset: iso-8859-1,*,utf-8
>_________________________________________________________________
>Windows Live?: E-mail. Chat. Share. Get more ways to connect.
>http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009
>___________________________________________________________________________
>Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives: http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
