[unisog] IIS problem du jour

Joshua Wright Joshua.Wright at jwu.edu
Tue Mar 18 13:18:13 GMT 2003


Can anyone shed some light on a signature that could be used to detect
this tool?  The snort-sigs list hasn't come up with a signature for this
attack yet.  If anyone believes they are seeing attacks to exploit this
vulnerability, please share obfuscated logging information from IIS.

Thanks.

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at jwu.edu 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> Sent: Monday, March 17, 2003 5:57 PM
> To: Anderson Johnston
> Cc: unisog at sans.org; security at umbc.edu
> Subject: Re: [unisog] IIS problem du jour 
> 
> 
> On Mon, 17 Mar 2003 17:07:27 EST, Anderson Johnston said:
> > 
> > 
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/b
> ulletin/MS03-007.asp
> > 
> > An attack on IIS WebDAV.  The CAN reference given in the 
> above URL is
> > still under CVE editorial review.
> > 
> > 
> > Has anyone see this wild?  Got any NIDS signatures for it?
> 
> Yes, it's in the wild - a 0-day nailed some .MIL servers.
> 
> http://www.msnbc.com/news/886524.asp?0cv=CB10
> 
> http://www.cert.org/advisories/CA-2003-09.html
> 
> 



More information about the unisog mailing list