[Intrusions] Has anyone seen this ?
Георги Илиев
iliev at list.ru
Tue Aug 30 15:28:25 GMT 2005
I cannot understand...
-----Original Message-----
From: Nick FitzGerald <nick at virus-l.demon.co.uk>
To: "Intrusions List GGCIA Practicals\"" <intrusions at lists.sans.org>
Date: Sat, 27 Aug 2005 15:49:54 +1200
Subject: Re: [Intrusions] Has anyone seen this?
>
> Paul Schmehl to me:
>
> > > Those were the _entire_ requested URLs, or was the sig that triggered
> > > just looking at any part of the URL/packet/whatever?
> > >
> > Therein lies the problem. I'm *assuming* that what TP is showing me is the
> > entire pattern, but perhaps it's not.
>
> In that case, I guess it is looking for an already compromised box. As
> someone else posted, it is possible (incredibly stupid, but possible)
> to configure (older versions?) of IIS to treat the root of a drive as
> the webroot, and Nimda (and other things) have put root.exe files in
> webroot and/or drive root directories...
>
> > > How quickly we forget...
> > >
> > Not I, old friend, but I *know* that if it *was* a Code Red or directory
> > traversal attack TP would tell me that because *it does regularly* with
> > other packets. In fact it id'd the root.exe ones as Nimda.
> >
> > Methinks I ought to kick this one up to TP support and find out what they
> > know about it.
>
> Sounds wise -- my original suspicion was that if *you* were asking
> something like this it was because the tools you were using weren't
> being as informative as they should be...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list