[Dshield] New IIS directory traversal worm, or just a tool sig?

Bob Savage bsavage at rnr-inc.com
Thu Nov 7 19:24:15 GMT 2002

One identical to this at the end of September, 2 in late October, 4
since November 1.  No two from the same source.  Looks like Nimda to me,
but you're right, it looks like a different twist.

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Monday, November 04, 2002 12:50 PM
To: list at dshield.org
Subject: [Dshield] New IIS directory traversal worm, or just a tool sig?

Since Friday, I have seen this from nine different addresses. IIS
traversal attack is on the local system - not an HTTP CONNECT. The
is being specified as "ww.tk.gov" (not a real public host), but this is
window dressing on the attack.


Anyone else seen this?

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list