I had not seen this before so I thought others might be interested. Last night someone (working through a machine in China :( ) attacked our main campus web server. Snort logged over 600 pobes. I asked the webserver support staff to check the logs to make sure that everything as OK and they came back very puzzled: they could find hardly any traffic from the IP and what there was was perfectly innocent. I went back to the snort logs and had a look at the packet dumps and found that they were all HEAD requests which appear not to be logged by IIS. The tool used uses HEAD request to establish if certain vulnerabilities exist, these include various directory traversal vulnerabilities, the presence of vulnerable cgi scripts etc. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 28 2001 - 17:33:01 PST