Re: IIS Search Method Overflow being revisted?

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Rohny Jotton wrote:
> In the last 24 hours, 
> I've logged two 
> instances of "SEARCH 
> /�±±±±±±±±±±±±±±±±±±±±±±....(many more)" on my 

/me too

In our case we've seeing approximately 600-700 weekly "SEARCH /" scan 
attempts since february. Snort flags it as "WEB-IIS WEBDAV nessus safe 
scan attempt" (SID 2091, CAN-2003-0109).

However, recently, we've started seing the "SEARCH /AAAAAA..." 
attempts. The funny thing is that the behaviour is:

1.- first do a "SEARCH /"
[if X, probably the bot checks for server version, etc. since not all 
attempts proceed]
2.- start doing "SEARCH /AAAA" (234 'A' characters)
3.- repeat 2 increasing one "A" character until you get to 296 characters.
4.- stop

It seems that the application is trying to find the precise point 
where the buffer overflow is located.

Regards

Javier

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------