I've noticed some activity on a couple of web servers which I'm trying to find an explanation for. It's been happening for about 2 months. Here's a log snippet : [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.exe' It doesn't appear to be Nimda, as it is a single request. The web server IPs are within 1 ip of each other. When one server sees the hit, the other server sees it within 2 seconds. Everything I've seen says that Nimda picks random IPs (based on network), while this seems to be more of a scan. Anyone have any ideas what this may be? Keith ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 10:02:43 PDT