Security Incidents mailing list archives
Re: Unicode worm?
From: robinton () gmx de (Soeren Ziehe)
Date: 21 Aug 2002 19:43:00 +0200
In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02] Turner, Keith (Contractor) <TurnerL () tea-emh1 army mil> wrote:
[08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e xe'
I'm seeing the same requests.
It doesn't appear to be Nimda, as it is a single request. The web
Correct. The same here. Just a single rquest like above per IP.
server IPs are within 1 ip of each other. When one server sees the hit, the other server sees it within 2 seconds. Everything I've
The same here. Host with three IPs. All IPs see the same request within a few seconds from each other.
seen says that Nimda picks random IPs (based on network), while this seems to be more of a scan. Anyone have any ideas what this may be?
Nope. Never bother to investigate further, though. Robinton -- Gib Gates keine Chance, Linux schuetzt !! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
- Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
- Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
- Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)
- Re: Unicode worm? Soeren Ziehe (Aug 21)