New pattern of IIS attacks

Russell Fulton R.FULTON at
Sat Mar 23 01:58:46 GMT 2002

Hmmm... This may be related to the recent spate of compromises of
windows system being reported on this list...

Over the last week or so I have seen several heavy attacks aimed at IIS
servers on campus.  There is nothing novel about the attacks themselves
(they are mostly directory traversal attacks) but the delivery is
different.  What I am seeing is scans for port 80 that grab banners an
nothing else and then concerted attacks on all IIS servers on campus
from some other IP.  The attacks often try up to 100 different attacks,
rather reminiscent of sysadmind worm.

What I suspect is happening is that these attacks are finding unpatched
IIS servers that are, for one reason or another, immune to the exploits
used by nimda.

Were the machines that got compromised running IIS?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list