[Dshield] null.ida? haven't seen this one yet

Brian Dessent brian at dessent.net
Sun Sep 14 22:40:38 GMT 2003


DAN MORRILL wrote:
> 
> This just showed up on my system. Interesting to see what captures my
> attention. I have no idea, wondering if anyone else has seen anything like
> this.
> 
> 2003-09-14 20:41:17 210.103.27.2 - W3SVC1 SHAREPOINT insert.ip.here: 80 GET
> /NULL.IDA<junk>cmd.exe$ 404 2 4203 2070 0 HTTP/1.1 insert.my.ip.here::80 - - -

IIS exploit attempt -- a buffer overflow in the indexing service.  A
patch for this has been out for well over 2 years.  It doesn't look like
you have anything to worry about since the server returned a 404.  You
didn't mention what http server or OS, but you should be aware that any
vuln that contains "cmd.exe" is not going to have a chance to do squat
on anything but a horrifically unpatched IIS on Windows.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

Brian




More information about the list mailing list