I have been getting Nimda like scans from different hosts this morning. /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir _mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir When I checked these hosts, I found that they have some ports that display "ncacn_http/1.0" when you connect to them. Is this Netcat or something else? BTW, all these servers don't have a port 80 open and they are windows machines. Regards, Sameh ======================================== Sameh Y. Farag Security Engineer Internet Security Systems - Middle East Tel: +2 02 7607011 Fax: +2 02 7607013 <http://www.iss.net/> The power to protect ======================================== __________________________________________________ Manage your Hotmail with ANY email application: Get Pop3Hot at <http://pop3hot.com/main.htm> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 09:26:22 PST