-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New version of Nimda (Nimda.E) Scan like this. Best Regards. CyRaNo http://www.sarc.com/avcenter/venc/data/w32.nimda.eat_private - ----- Original Message ----- From: "Thomas Haeberlen" <Haeberlenat_private-Stuttgart.DE> To: <incidentsat_private> Sent: Tuesday, October 30, 2001 8:47 AM Subject: New IIS exploit tool? Has anyone seen this pattern before? > Hello everybody, > > has anyone seen this pattern of IIS attacks before? Could this be a > new exploit tool or something like "nimda2"? On the other hand it > seems that it is only trying the long known holes... > > ------------------------------- snip > ---------------------------------- > > 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET > /scripts/root.exe?/c+dir+C:\ HTTP/1.0" 404 210 "-" "-" > 195.13.121.101 - - [30/Oct/2001:11:43:40 +0100] "GET > /scripts/..%255c..%255cwinnt/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO97aonmlmOefWqOmEQJgjgCgnNFJm4ZB00LEfap5REwGckYrlnoAoJdt t9waLRWayOdQYjpx00yEY0TY =SQ3J -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:18:18 PST