Re: New IIS exploit tool? Has anyone seen this pattern before?

From: CT (ctat_private)
Date: Tue Oct 30 2001 - 08:51:52 PST

  • Next message: Ryan Russell: "Re: New Worm Variant?"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    New version of Nimda (Nimda.E) Scan like this. 
    Best Regards.
    
    CyRaNo
    http://www.sarc.com/avcenter/venc/data/w32.nimda.eat_private
    
    
    - ----- Original Message ----- 
    From: "Thomas Haeberlen" <Haeberlenat_private-Stuttgart.DE>
    To: <incidentsat_private>
    Sent: Tuesday, October 30, 2001 8:47 AM
    Subject: New IIS exploit tool? Has anyone seen this pattern before?
    
    
    > Hello everybody,
    > 
    > has anyone seen this pattern of IIS attacks before? Could this be a
    > new exploit tool or something like "nimda2"? On the other hand it
    > seems that  it is only trying the long known holes...
    > 
    > ------------------------------- snip
    > ----------------------------------  
    > 
    > 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET
    > /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-"
    > 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET
    > /scripts/..%255c..%255cwinnt/
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBO97aonmlmOefWqOmEQJgjgCgnNFJm4ZB00LEfap5REwGckYrlnoAoJdt
    t9waLRWayOdQYjpx00yEY0TY
    =SQ3J
    -----END PGP SIGNATURE-----
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:18:18 PST