Security Incidents mailing list archives

Re: IIS Search Method Overflow being revisted?

From: "Jay Woody" <jay_woody () tnb com>
Date: Fri, 26 Mar 2004 09:03:12 -0600

Yeah, I realized after I sent it.  I saw ISS, not IIS.  I wish I had some excuse, but just too quick on the draw I 
guess.  I personally think we ought to have some acronym providing organization that keeps them from being too close.  
:)

JayW

Nick FitzGerald <nick () virus-l demon co uk> 03/25/04 07:17PM >>>

"Jay Woody" <jay_woody () tnb com> to <rohnyjotton () hotmail com>:

I thought there was a new one.  Hang on . . . 

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/42099/WindowsSecurity_42099.html


Ahhh, no -- that is an ICQ problem in ISS BlackICE, etc products.  
_Quite_ unrelated...

Here.  I didn't read much about since we don't use it, but I think this
may be what they are looking for.


Actually, I doubt you could be further off.

Jay -- I know it's probably not worth much to you, but I think that 
many will be experiencing an increase in such attempts (though they may 
not be noticing them).

What may help is I am seeing them coincidental with attempts from the 
same source IPs on TCP 2745.  That is the port the backdoor installed 
by Bagle.D and Bagle.E (and probably other variants) listens on.  My 
guess is that one of the recent Agobot or Polybot variants is probably 
responsible for the port 80 traffic you are seeing, as some of these 
have quite an arsenal of spread mechanisms.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

IIS Search Method Overflow being revisted? Rohny Jotton (Mar 25)
- Re: IIS Search Method Overflow being revisted? Janusz Urbanowicz (Mar 25)
- Re: IIS Search Method Overflow being revisted? Javier Fernandez-Sanguino (Mar 26)
- <Possible follow-ups>
- RE: IIS Search Method Overflow being revisted? Levinson, Karl (Mar 25)
  - Re: IIS Search Method Overflow being revisted? Felipe Moniz de Aragao (Mar 25)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 25)
  - Re: IIS Search Method Overflow being revisted? Nick FitzGerald (Mar 26)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 26)