[Intrusions] Has anyone seen this?
Paul Schmehl
pauls at utdallas.edu
Thu Aug 25 22:40:21 GMT 2005
--On Friday, August 26, 2005 10:09:42 +1200 Nick FitzGerald
<nick at virus-l.demon.co.uk> wrote:
> Paul Schmehl wrote:
>
>> The attack signature was one of either "root.exe" (Nimda) or
>> "winnt/system32/cmd.exe". I've never seen an IIS attack that used the
>> latter, and it seems rather strange, because unless the webserver is
>> grossly misconfigured you couldn't get to the system32 dir through port
>> 80 anyway.
>
> Those were the _entire_ requested URLs, or was the sig that triggered
> just looking at any part of the URL/packet/whatever?
>
Therein lies the problem. I'm *assuming* that what TP is showing me is the
entire pattern, but perhaps it's not.
>
> How quickly we forget...
>
Not I, old friend, but I *know* that if it *was* a Code Red or directory
traversal attack TP would tell me that because *it does regularly* with
other packets. In fact it id'd the root.exe ones as Nimda.
Methinks I ought to kick this one up to TP support and find out what they
know about it.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
More information about the Intrusions
mailing list