Security Incidents mailing list archives
Unicode worm?
From: "Turner, Keith (Contractor)" <TurnerL () tea-emh1 army mil>
Date: Wed, 21 Aug 2002 12:41:31 -0400
I've noticed some activity on a couple of web servers which I'm trying to find an explanation for. It's been happening for about 2 months. Here's a log snippet : [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.exe' It doesn't appear to be Nimda, as it is a single request. The web server IPs are within 1 ip of each other. When one server sees the hit, the other server sees it within 2 seconds. Everything I've seen says that Nimda picks random IPs (based on network), while this seems to be more of a scan. Anyone have any ideas what this may be? Keith ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
- Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
- Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
- Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)
- Re: Unicode worm? Soeren Ziehe (Aug 21)