Security Incidents mailing list archives
Re: IIS Search Method Overflow being revisted?
From: "Felipe Moniz de Aragao" <felipe () syhunt com>
Date: Thu, 25 Mar 2004 18:39:16 -0800
Hi. I agree with Karl. MS03-007, which is also a SANS Top 20 item (CAN-2003-0109). Details can be viewed at http://www.securityfocus.com/bid/7116/exploit/ in the Bugtraq database. - Felipe ----- Original Message ----- From: "Levinson, Karl" <Karl.Levinson () dhs gov> To: "'Rohny Jotton'" <rohnyjotton () hotmail com>; <incidents () securityfocus com> Sent: Thursday, March 25, 2004 8:25 AM Subject: RE: IIS Search Method Overflow being revisted?
A Google search suggests a possible attempt to exploit the MS03-007 NTDLL vulnerability [via WebDAV] from February 2003. http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h
tml http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx Possibly we're seeing an increase of this now due to Agobot / Gaobot / Polybot scans, as some variants can exploit this vulnerability. I believe new Agobot / Gaobot variants a being discovered sometimes at a rate of several per day. I would suspect that if you checked your IDS logs or could run Ethereal packet captures through an IDS like Snort, the year-old NTDLL signatures might help you confirm what this is. Another post I believe in the microsoft.public today mentioned a different payload: SEARCH /AAAAAAA.... As you may already know, if you're using IIS 4 or 5, I strongly recommend running URLScan and the other security recommendations that are all free from www.microsoft.com/technet/security - karl -----Original Message----- From: Rohny Jotton [mailto:rohnyjotton () hotmail com] Sent: Thursday, March 25, 2004 10:45 AM To: incidents () securityfocus com Subject: IIS Search Method Overflow being revisted? In the last 24 hours, I've logged two instances of "SEARCH /±±±±±±±±±±±±±±±±±±±±±±....(many more)" on my web server from two different networks resulting in a 501 being returned. When googling, the only thing I can relate to it is an Overflow attempt
from
2001 (Georgi Guninski). I do not see any prior attempts. I just thought inquiring minds ought to know... --------------------------------------------------------------------------
-
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost
of
ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- IIS Search Method Overflow being revisted? Rohny Jotton (Mar 25)
- Re: IIS Search Method Overflow being revisted? Janusz Urbanowicz (Mar 25)
- Re: IIS Search Method Overflow being revisted? Javier Fernandez-Sanguino (Mar 26)
- <Possible follow-ups>
- RE: IIS Search Method Overflow being revisted? Levinson, Karl (Mar 25)
- Re: IIS Search Method Overflow being revisted? Felipe Moniz de Aragao (Mar 25)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 25)
- Re: IIS Search Method Overflow being revisted? Nick FitzGerald (Mar 26)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 26)