A quick _mem_bin search in Google gave me a dozen of URLs in the manner of http://www.something.com/_mem_bin_/some_login.asp. So it seems that the directory _mem_bin is part of some sort of cgi used for access control. Since the UNICODE exploit uses any executable directory, _mem_bin is an appropriate target for that. Looking for the timestamp, it seems that this is an automated tool. Cheers Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardosoat_private http://www.whatevernet.com/ > -----Original Message----- > From: Incidents Mailing List [mailto:INCIDENTSat_private]On > Behalf Of Hamid T Ouyachchi > Sent: segunda-feira, 30 de Abril de 2001 19:06 > To: INCIDENTSat_private > Subject: Found this in my logs > > > Hello all, > > Found this in my IIS logs. I recognize the Unicode exploit > attempts, frontpage > msdacs stuff. But what is the /mem-bin/ entry about ? > > Hamid Ouyachi > Contractor > Office of Workforce Security > Phone: (202)219-5935 x302 > _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 19:28:31 PDT