Security Incidents mailing list archives
Re: IIS Search Method Overflow being revisted?
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Fri, 26 Mar 2004 14:10:36 +0100
Rohny Jotton wrote:
In the last 24 hours, I've logged two instances of "SEARCH /�±±±±±±±±±±±±±±±±±±±±±±....(many more)" on my
/me tooIn our case we've seeing approximately 600-700 weekly "SEARCH /" scan attempts since february. Snort flags it as "WEB-IIS WEBDAV nessus safe scan attempt" (SID 2091, CAN-2003-0109).
However, recently, we've started seing the "SEARCH /AAAAAA..." attempts. The funny thing is that the behaviour is:
1.- first do a "SEARCH /"[if X, probably the bot checks for server version, etc. since not all attempts proceed]
2.- start doing "SEARCH /AAAA" (234 'A' characters) 3.- repeat 2 increasing one "A" character until you get to 296 characters. 4.- stopIt seems that the application is trying to find the precise point where the buffer overflow is located.
Regards Javier --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:
- IIS Search Method Overflow being revisted? Rohny Jotton (Mar 25)
- Re: IIS Search Method Overflow being revisted? Janusz Urbanowicz (Mar 25)
- Re: IIS Search Method Overflow being revisted? Javier Fernandez-Sanguino (Mar 26)
- <Possible follow-ups>
- RE: IIS Search Method Overflow being revisted? Levinson, Karl (Mar 25)
- Re: IIS Search Method Overflow being revisted? Felipe Moniz de Aragao (Mar 25)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 25)
- Re: IIS Search Method Overflow being revisted? Nick FitzGerald (Mar 26)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 26)