Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

new iis worm: seeking signature

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Wed, 13 Jun 2001 12:59:30 -0400 (EDT)

hi all,

i found these in my apache logs after a quick check:

209.250.131.60 - - [10/Jun/2001:17:50:29 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 231
209.250.131.60 - - [10/Jun/2001:17:50:30 -0400] "GET
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 246

in a nutshell, plain old unicode directory traversal attempts. (failed,
obviously.)

normally i would have dismissed these as 'kids', but these reports on a
new IIS worm have me wondering if anyone has a signature for the scans it
does:

http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html
http://www.security-informer.com/ic_620113_3494_1-3283.html

thanks.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Previous By Date Next
Previous By Thread Next

Current thread: