[unisog] New pattern of IIS attacks

Sawyer, John H. JSawyer at mail.ifas.ufl.edu
Sat Mar 23 19:53:51 GMT 2002


Check out WhiteHat Arsenal
http://community.whitehatsec.com/index.pl?section=wharsenal .  I have a
feeling that is what you are seeing hit your machines.  It is a http/cgi
testing tool whose use has been steadily increasing since its introduction
early this year.


-jhs

------------------------------------------------
John H. Sawyer
University of Florida
jsawyer at ufl.edu


<> -----Original Message-----
<> From: Russell Fulton [mailto:R.FULTON at auckland.ac.nz] 
<> Sent: Friday, March 22, 2002 8:59 PM
<> To: unisog at sans.org
<> Subject: [unisog] New pattern of IIS attacks
<> 
<> 
<> Hmmm... This may be related to the recent spate of compromises of
<> windows system being reported on this list...
<> 
<> Over the last week or so I have seen several heavy attacks 
<> aimed at IIS
<> servers on campus.  There is nothing novel about the attacks 
<> themselves
<> (they are mostly directory traversal attacks) but the delivery is
<> different.  What I am seeing is scans for port 80 that grab 
<> banners an
<> nothing else and then concerted attacks on all IIS servers on campus
<> from some other IP.  The attacks often try up to 100 
<> different attacks,
<> rather reminiscent of sysadmind worm.
<> 
<> What I suspect is happening is that these attacks are 
<> finding unpatched
<> IIS servers that are, for one reason or another, immune to 
<> the exploits
<> used by nimda.
<> 
<> Were the machines that got compromised running IIS?
<> 
<> -- 
<> Russell Fulton, Computer and Network Security Officer
<> The University of Auckland,  New Zealand
<> 



More information about the unisog mailing list