Snort mailing list archives
Re: Possible scr worm
From: John Sage <jsage () finchhaven com>
Date: Tue, 21 Aug 2001 13:24:09 -0700
John, Matt et al: A google search for "Get.Routing.Script" returns: http://support.microsoft.com/support/kb/articles/Q270/5/24.ASP To quote:Microsoft Proxy Server 2.0 and Microsoft Internet Security and Acceleration (ISA) Server 2000 return some array and server-specific information when the following Uniform Resource Locators (URLs) are sent to the Web proxy port:
* http://ISA-ServerName:8080/array.dll?Get.Routing.Script * http://ISA-ServerName:8080/array.dll?Get.Info.v1 * http://ISA-ServerName:8080/array.dll?Get.Info.v2The preceding URLs are for diagnostic purposes and provide useful diagnostic and functional information. The URLs are handled internally by the Web Proxy service and are not passed through the rules engine. Therefore, no access control rules apply to these URLs."
<end quote> "..no access control rules apply to these URL's..." heh.. Micro$oft! Ya gotta love 'em.I think that fragment in the Subject: line is pretty ominous; it looks like, what ever was going on, that somebody goofed slightly by talking about port 80 rather than 8080; why the volume, I have no idea.
It looks funky... - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Matthew Collins wrote:
It's the subject line thats causing the problems.Subject: Re: http://usabbo2proxy:80/array.dll?Get.Routing.ScriptAs to why you are getting so many of these, I don't know. Could be a worm that is replying to an email in the users inbox, and just happens to pick the one that triggers the rule. The mail has got both the from and the to address set to the same thing, which is odd. Could be a mail loop of some sort, or a brain dead mail worm.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Erek Adams (Aug 20)
- Re: Possible scr worm rottz (Aug 20)
- <Possible follow-ups>
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm john . ruff (Aug 21)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm John Sage (Aug 21)