Security Incidents mailing list archives
Re: IIS Search Method Overflow being revisted?
From: "Jay Woody" <jay_woody () tnb com>
Date: Fri, 26 Mar 2004 09:03:12 -0600
Yeah, I realized after I sent it. I saw ISS, not IIS. I wish I had some excuse, but just too quick on the draw I guess. I personally think we ought to have some acronym providing organization that keeps them from being too close. :) JayW
Nick FitzGerald <nick () virus-l demon co uk> 03/25/04 07:17PM >>>
"Jay Woody" <jay_woody () tnb com> to <rohnyjotton () hotmail com>:
I thought there was a new one. Hang on . . . http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/42099/WindowsSecurity_42099.html
Ahhh, no -- that is an ICQ problem in ISS BlackICE, etc products. _Quite_ unrelated...
Here. I didn't read much about since we don't use it, but I think this may be what they are looking for.
Actually, I doubt you could be further off. Jay -- I know it's probably not worth much to you, but I think that many will be experiencing an increase in such attempts (though they may not be noticing them). What may help is I am seeing them coincidental with attempts from the same source IPs on TCP 2745. That is the port the backdoor installed by Bagle.D and Bagle.E (and probably other variants) listens on. My guess is that one of the recent Agobot or Polybot variants is probably responsible for the port 80 traffic you are seeing, as some of these have quite an arsenal of spread mechanisms. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- IIS Search Method Overflow being revisted? Rohny Jotton (Mar 25)
- Re: IIS Search Method Overflow being revisted? Janusz Urbanowicz (Mar 25)
- Re: IIS Search Method Overflow being revisted? Javier Fernandez-Sanguino (Mar 26)
- <Possible follow-ups>
- RE: IIS Search Method Overflow being revisted? Levinson, Karl (Mar 25)
- Re: IIS Search Method Overflow being revisted? Felipe Moniz de Aragao (Mar 25)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 25)
- Re: IIS Search Method Overflow being revisted? Nick FitzGerald (Mar 26)
- Re: IIS Search Method Overflow being revisted? Jay Woody (Mar 26)