FYI - large scale assault on IIS servers

Russell Fulton R.FULTON at auckland.ac.nz
Mon Mar 11 03:14:54 GMT 2002


At around midnight (UTC) we got hit by and attack from 

74.70.193.157.in-addr.arpa domain name pointer gmserv.rug.ac.be

Many (all ?) IIS servers on campus were pounded by up to 500 exploit
attempts each.
No obvious scan was observed before the attack.  The actual attacks
consisted of the usual
ragbag of directory traversal attacks and broken sample file exploits.

Here is the snort summary for one hour:

4 different signatures are present for 157.193.70.74 as a source

    * 48 instances of WEB-IIS _mem_bin access
    * 48 instances of WEB-IIS CodeRed v2 root.exe access
    * 8353 instances of WEB-IIS ..\.. access
    * 12628 instances of WEB-IIS cmd.exe access

I've notified rug.ac.be, by email.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


More information about the unisog mailing list