#
# SCAN OF THE MONTH #9:  16 November
#
# Contest to see who can determine which tool
# was used and the purpose of this scan.  Packet
# decodes using snort (http://www.snort.org).
#
# The packets were captured from the wild as part
# of the Honeynet Project.


QUESTION
--------
1. What is the purpose of this scan?

GET /cgi-bin/cart32.exe/expdate
@mB9\8C@^\\G ) a
@F@cF;$@@<@PF@H@@<@@<@It@@@@h8@<@j@`G@h8@p>@@P@R@@@@@<@<@@@<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /cgi-bin/cart32.exe/expdate was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.12 Server at example.org Port 80</ADDRESS>
</BODY></HTML>

ANSWER
-------

Bugtraq ID 1358
http://www.securityfocus.com/bid/1358/


Date: Mon, 20 Nov 2000 06:43:22 -0800 (PST)
From: Mister Scarbaci <scarbaci@yahoo.com>
To: project@honeynet.org
Subject: GET /cgi-bin/cart32.exe/expdate

this nifty little command creates a error message with debug
information containing directory listings or environment variables.

scan critque(sp?):
1) With most scanners we find many alerts for different probes which
are contained in the scanners vulnerability database.  Here we only
find one.
2) The scanner also made no attempt of obfuscating the probe from IDS.

looks to me that this is probably a handmade scanner and the intruder
is either the author or knows the author.  Most likely it is a perl
script for its very popular to use in cgi scans.