Re: IIS Search Method Overflow being revisted?

[Nick FitzGerald <nick () virus-l demon co uk>]

"Jay Woody" <jay_woody () tnb com> to <rohnyjotton () hotmail com>:

> I thought there was a new one.  Hang on . . . 
>
> http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/42099/WindowsSecurity_42099.html

Ahhh, no -- that is an ICQ problem in ISS BlackICE, etc products.  
_Quite_ unrelated...

> Here.  I didn't read much about since we don't use it, but I think this
> may be what they are looking for. 

Actually, I doubt you could be further off.

Jay -- I know it's probably not worth much to you, but I think that 
many will be experiencing an increase in such attempts (though they may 
not be noticing them).

What may help is I am seeing them coincidental with attempts from the 
same source IPs on TCP 2745.  That is the port the backdoor installed 
by Bagle.D and Bagle.E (and probably other variants) listens on.  My 
guess is that one of the recent Agobot or Polybot variants is probably 
responsible for the port 80 traffic you are seeing, as some of these 
have quite an arsenal of spread mechanisms.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------