-2

We got following URLs in our access logs. No referrer. Chrome user agent. Looks like some security scanner is/was at work. Is it possible to identify it? Many urls have references to netsparker.

/
/'/
/%20ns=netsparker(0x00000D)
/'/%20ns=netsparker(0x000014)
/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000005)%3C/scRipt%3E
/'/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000008)%3C/scRipt%3E
/%22ns=%22netsparker(0x000007)
/'/%22ns=%22netsparker(0x00000B)
/%2522ns%253D%2522netsparker%25280x000010%2529
/'/%2522ns%253D%2522netsparker%25280x00001A%2529
/%3Chtml%20xmlns=%22http:/www.w3.org/1999/xhtml%22%3E%3Cscript%3Enetsparker(0x0005EF)%3C/script%3E%3C/html%3E
/%3Chtml%20xmlns=%22http:/www.w3.org/1999/xhtml%22%3E%3Cscript%3Enetsparker(0x000F84)%3C/script%3E%3C/html%3E
/%3Chtml%20xmlns=%22http:/www.w3.org/1999/xhtml%22%3E%3Cscript%3Enetsparker(0x002DC4)%3C/script%3E%3C/html%3E
/%3C?php%20echo%20chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(45).chr(80).chr(72).chr(80).chr(45).chr(48).chr(45).(44353702950%20(intval($_GET%5B997%
5D)*4567)).chr(45)%20?%3E
/adm/
/admin_/
/admin/
/admin1/
/adminadmin/
/admin.asp
/admin.aspx
/admin.conf
/admin.htm
/admin.html
/administration/
/administrator/
/admin.jsp
/admin.php
/admin.pl
/admin.txt

Thanks, Sameer

Sameer Naik
  • 117
  • 2
  • I'm not sure how one would identify a scanner from the URL requests .... Is there any reason why you don't think that it is netsparker? – schroeder Nov 29 '15 at 00:14
  • @NeilSmithline I'd vote 'no' on the duplicate. I'm not seeing the connection. – schroeder Nov 29 '15 at 00:19

1 Answers1

1

The scanner used was Netsparker, it self identified in the beginning of your log.

https://www.netsparker.com

That's the name of the scanner.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49