That's probably not good. Ncacn_http allows client/server applications to communicate via the internet (or any IP network) by using IIS to "proxy" the requests. Thus, an application that would normally be prevented from accessing the internet could be piped out a public IP on port 80 (in the case of ncacn_http, anyway). The port on which the host is listening is somewhat irrelevant, as port 80 only needs to be open on the IIS server that is acting as the application proxy. This is oversimplified, and I've certainly left out most of the details, but this is basically what ncacn_http is used for. Keith -----Original Message----- From: theGoooat_private [mailto:theGoooat_private] Sent: Thursday, March 07, 2002 5:37 AM To: incidentsat_private; pen-testat_private Subject: ncacn_http/1.0 I have been getting Nimda like scans from different hosts this morning. /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir _mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir When I checked these hosts, I found that they have some ports that display "ncacn_http/1.0" when you connect to them. Is this Netcat or something else? BTW, all these servers don't have a port 80 open and they are windows machines. Regards, Sameh ======================================== Sameh Y. Farag Security Engineer Internet Security Systems - Middle East Tel: +2 02 7607011 Fax: +2 02 7607013 <http://www.iss.net/> The power to protect ======================================== __________________________________________________ Manage your Hotmail with ANY email application: Get Pop3Hot at <http://pop3hot.com/main.htm> ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 12:32:20 PST