Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New IIS exploit tool? Has anyone seen this pattern before?

From: "CT" <ct () arnet com ar>
Date: Tue, 30 Oct 2001 13:51:52 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New version of Nimda (Nimda.E) Scan like this. 
Best Regards.

CyRaNo
http://www.sarc.com/avcenter/venc/data/w32.nimda.e () mm html


- ----- Original Message ----- 
From: "Thomas Haeberlen" <Haeberlen () RUS Uni-Stuttgart DE>
To: <incidents () securityfocus com>
Sent: Tuesday, October 30, 2001 8:47 AM
Subject: New IIS exploit tool? Has anyone seen this pattern before?



Hello everybody,

has anyone seen this pattern of IIS attacks before? Could this be a
new exploit tool or something like "nimda2"? On the other hand it
seems that  it is only trying the long known holes...

------------------------------- snip
----------------------------------  

195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET
/scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-"
195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET
/scripts/..%255c..%255cwinnt/


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO97aonmlmOefWqOmEQJgjgCgnNFJm4ZB00LEfap5REwGckYrlnoAoJdt
t9waLRWayOdQYjpx00yEY0TY
=SQ3J
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: