This is indeed the new IIS 5 exploit, and it surprises me not one bit that they've begun to do wide sweeps for exploited boxen. It's a nasty hole and there's a short path of effort from scan to comprimise. Very tempting for the kiddies. I'm curious as to what this tool would do if it did succeed in finding a hole. Anyone running a honeypot to catch these? Wanna share results? Benjamin Krueger On Fri, May 04, 2001 at 04:15:23PM +0200, Shaun Dewberry wrote: > Here we go, the kiddies have come out to play again! > Below find the infringing party - another sploited box in korea?... > I didn't read the vulnerability report properly yesterday, but it looks like > the new IIS5, Win2k bug. > Pity I'm not running IIS 5 on Win2000... > Anybody else get anything similar? > Time is GMT+02:00 (South Africa Standard Time). > > 211.63.33.69 - - [04/May/2001:15:13:44 +0200] "GET /NULL.printer HTTP/1.0" > 400 325 > 211.63.33.69 - - [04/May/2001:15:41:32 +0200] "GET /NULL.printer HTTP/1.0" > 400 325 > 211.63.33.69 - - [04/May/2001:15:52:30 +0200] "GET /NULL.printer HTTP/1.0" > 400 325 > 211.63.33.69 - - [04/May/2001:16:09:33 +0200] "GET /NULL.printer HTTP/1.0" > 400 325 > 211.63.33.69 - - [04/May/2001:16:10:11 +0200] "GET /NULL.printer HTTP/1.0" > 400 325 > > [Fri May 4 15:13:44 2001] [error] [client 211.63.33.69] Client sent > malformed Host header > [Fri May 4 15:41:32 2001] [error] [client 211.63.33.69] Client sent > malformed Host header > [Fri May 4 15:52:30 2001] [error] [client 211.63.33.69] Client sent > malformed Host header > [Fri May 4 16:09:33 2001] [error] [client 211.63.33.69] Client sent > malformed Host header > [Fri May 4 16:10:11 2001] [error] [client 211.63.33.69] Client sent > malformed Host header
This archive was generated by hypermail 2b30 : Fri May 04 2001 - 10:28:49 PDT