[Dshield] RE: [Dshield]What is HTTP get /sumthin ?

Jansen, Lise Lise.Jansen at qunara.com
Thu Nov 7 20:46:36 GMT 2002


I am new to this list and was wondering if someone could provide me with some info 
on the following line: HTTP looking for /sumthin 404. It is coming up quite often in my IIS logs. 

Thanks for your Help!
Lise J.  
-----Original Message-----
From: Bob Savage [mailto:bsavage at rnr-inc.com]
Sent: Thursday, November 07, 2002 2:24 PM
To: list at dshield.org
Subject: RE: [Dshield] New IIS directory traversal worm, or just a tool
sig?


One identical to this at the end of September, 2 in late October, 4
since November 1.  No two from the same source.  Looks like Nimda to me,
but you're right, it looks like a different twist.


-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Monday, November 04, 2002 12:50 PM
To: list at dshield.org
Subject: [Dshield] New IIS directory traversal worm, or just a tool sig?


Since Friday, I have seen this from nine different addresses. IIS
directory
traversal attack is on the local system - not an HTTP CONNECT. The
hostname
is being specified as "ww.tk.gov" (not a real public host), but this is
just
window dressing on the attack.

http://ww.tk.gov/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:
\win
nt\system32\cmd.exe+c:\inetpub\scripts\script.exe

Anyone else seen this?

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list