# SCAN OF THE MONTH #9: 16 November
# Contest to see who can determine which tool
# was used and the purpose of this scan. Packet
# decodes using snort (http://www.snort.org).
# The packets were captured from the wild as part
# of the Honeynet Project.
1. What is the purpose of this scan?
@mB9\8C@^\\G ) a
404 Not Found
The requested URL /cgi-bin/cart32.exe/expdate was not found on this server.
Apache/1.3.12 Server at example.org Port 80
Bugtraq ID 1358
Date: Mon, 20 Nov 2000 06:43:22 -0800 (PST)
From: Mister Scarbaci
Subject: GET /cgi-bin/cart32.exe/expdate
this nifty little command creates a error message with debug
information containing directory listings or environment variables.
1) With most scanners we find many alerts for different probes which
are contained in the scanners vulnerability database. Here we only
2) The scanner also made no attempt of obfuscating the probe from IDS.
looks to me that this is probably a handmade scanner and the intruder
is either the author or knows the author. Most likely it is a perl
script for its very popular to use in cgi scans.