FYI - large scale assault on IIS servers

Russell Fulton R.FULTON at
Mon Mar 11 03:14:54 GMT 2002

At around midnight (UTC) we got hit by and attack from domain name pointer

Many (all ?) IIS servers on campus were pounded by up to 500 exploit
attempts each.
No obvious scan was observed before the attack.  The actual attacks
consisted of the usual
ragbag of directory traversal attacks and broken sample file exploits.

Here is the snort summary for one hour:

4 different signatures are present for as a source

    * 48 instances of WEB-IIS _mem_bin access
    * 48 instances of WEB-IIS CodeRed v2 root.exe access
    * 8353 instances of WEB-IIS ..\.. access
    * 12628 instances of WEB-IIS cmd.exe access

I've notified, by email.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list