Security Incidents mailing list archives
RE: Odd IIS log entries
From: "James C. Slora, Jr." <Jim.Slora () phra com>
Date: Wed, 30 Apr 2003 09:28:08 -0400
Jacob Hahn wrote Monday, April 28, 2003 1:27 PM
The following is an IIS log entry, does anyone know if this is a known exploit. The "xxx" in the IP addresses was done to mask the server's identity. 2003-04-26 10:05:07 24.107.25.179 - 153.90.xxx.xxx 80 SEARCH /''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''
<snip>
- 404 4240 65755 1078 HTTP/1.1 153.90.xxx.xxx - -
This looks like a common attempted WebDAV exploit of ntdll.dll, and appears to have been unsuccessful. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp http://www.stanford.edu/group/itss-ccs/security/IIS-WebDAV.html ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Odd IIS log entries Hahn, Jacob (Apr 29)
- <Possible follow-ups>
- RE: Odd IIS log entries James C. Slora, Jr. (Apr 30)