Re: Heads up! distributed scans and attacks targeting nsiss.dll

From: oherrera (oherreraat_private)
Date: Fri Aug 08 2003 - 16:11:31 PDT

Next message: opticfiber: "Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe"

Previous message: morning_wood: "Re: port 445 probes continued"
Maybe in reply to: Russell Fulton: "Heads up! distributed scans and attacks targeting nsiss.dll"
Next in thread: sunzi: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"
Reply: sunzi: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We received one scan today from 206.29.36.131, with payload:
GET /scripts/nsiislog.dll. I don't remember seing this kind
of activity before in the last 3 months.

Omar Herrera

> Greetings All,
>          This morning I noticed that snort had logged a
> whole lot of "WEB-IIS nsiislog.dll access" alerts. After
> several hours of investigation I decided that there are
> enough interesting and different things about this
> incident to warrant writing a summary of what happened.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: opticfiber: "Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe"
Previous message: morning_wood: "Re: port 445 probes continued"
Maybe in reply to: Russell Fulton: "Heads up! distributed scans and attacks targeting nsiss.dll"
Next in thread: sunzi: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"
Reply: sunzi: "Re: Heads up! distributed scans and attacks targeting nsiss.dll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 10:57:46 PDT