Security Incidents mailing list archives
Re: New IIS exploit tool? Has anyone seen this pattern before?
From: "CT" <ct () arnet com ar>
Date: Tue, 30 Oct 2001 13:51:52 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New version of Nimda (Nimda.E) Scan like this. Best Regards. CyRaNo http://www.sarc.com/avcenter/venc/data/w32.nimda.e () mm html - ----- Original Message ----- From: "Thomas Haeberlen" <Haeberlen () RUS Uni-Stuttgart DE> To: <incidents () securityfocus com> Sent: Tuesday, October 30, 2001 8:47 AM Subject: New IIS exploit tool? Has anyone seen this pattern before?
Hello everybody, has anyone seen this pattern of IIS attacks before? Could this be a new exploit tool or something like "nimda2"? On the other hand it seems that it is only trying the long known holes... ------------------------------- snip ---------------------------------- 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-" 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET /scripts/..%255c..%255cwinnt/
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO97aonmlmOefWqOmEQJgjgCgnNFJm4ZB00LEfap5REwGckYrlnoAoJdt t9waLRWayOdQYjpx00yEY0TY =SQ3J -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New IIS exploit tool? Has anyone seen this pattern before? Thomas Haeberlen (Oct 30)
- Re: New IIS exploit tool? Has anyone seen this pattern before? CT (Oct 30)