Re: What "methods" are being used

From: fuska (fuskaat_private)
Date: Mon May 14 2001 - 11:06:07 PDT

Next message: Frijole: "Re: DNS ports and scans"

Previous message: Vitaly Osipov: "recent sadmin worm"
In reply to: Mark A Lewis: "RE: What "methods" are being used"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> A little more info to add about the IIS part of the attack...
> 
> The following files were created in C:\
> 
> 05/07/01  05:41a                   289 default.asp
> 05/07/01  05:41a                   289 default.htm
> 05/07/01  05:41a                   289 index.asp
> 05/07/01  05:41a                   289 index.htm
> 
> The same files were created in C:\InetPub and every subdirectory under
> C:\InetPub.
> 
> A question...  How did they automate the creation of these files in every
> \InetPub subdirectory?  I can't think of a simple command line to do that.
> 

  Take a look at these pages:

	http://www.zdnet.com/intweek/stories/news/0,4164,5082732,00.html
	http://attrition.org/security/commentary/worm01.html

Next message: Frijole: "Re: DNS ports and scans"
Previous message: Vitaly Osipov: "recent sadmin worm"
In reply to: Mark A Lewis: "RE: What "methods" are being used"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 15:39:21 PDT