[unisog] New pattern of IIS attacks
Sawyer, John H.
JSawyer at mail.ifas.ufl.edu
Sat Mar 23 19:53:51 GMT 2002
Check out WhiteHat Arsenal
http://community.whitehatsec.com/index.pl?section=wharsenal . I have a
feeling that is what you are seeing hit your machines. It is a http/cgi
testing tool whose use has been steadily increasing since its introduction
early this year.
John H. Sawyer
University of Florida
jsawyer at ufl.edu
<> -----Original Message-----
<> From: Russell Fulton [mailto:R.FULTON at auckland.ac.nz]
<> Sent: Friday, March 22, 2002 8:59 PM
<> To: unisog at sans.org
<> Subject: [unisog] New pattern of IIS attacks
<> Hmmm... This may be related to the recent spate of compromises of
<> windows system being reported on this list...
<> Over the last week or so I have seen several heavy attacks
<> aimed at IIS
<> servers on campus. There is nothing novel about the attacks
<> (they are mostly directory traversal attacks) but the delivery is
<> different. What I am seeing is scans for port 80 that grab
<> banners an
<> nothing else and then concerted attacks on all IIS servers on campus
<> from some other IP. The attacks often try up to 100
<> different attacks,
<> rather reminiscent of sysadmind worm.
<> What I suspect is happening is that these attacks are
<> finding unpatched
<> IIS servers that are, for one reason or another, immune to
<> the exploits
<> used by nimda.
<> Were the machines that got compromised running IIS?
<> Russell Fulton, Computer and Network Security Officer
<> The University of Auckland, New Zealand
More information about the unisog