Your best idea when posting to this list is to santize the logs. If you
feel funny about posting your IP sir, simply take out the address. A quick
script with GREP or PERL would suffice. ;)
Buffer Overflow in /dev/stomach due to vodka.o!
From: Jim Grossl [EMAIL PROTECTED]
To: [EMAIL
Hello Jim,
these traces look like a worm called nimda which appeared last year.
Here is a sample trace:
2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/root.exe 404 820 72 80
HTTP/1.0 - -
2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /MSADC/root.exe 404 820 70 80
HTTP/1.0 - -
2001-09-19 00:00:00
PROTECTED]]
Sent: Wednesday, January 16, 2002 5:30 PM
To: 'Todd Williamson'; [EMAIL PROTECTED]
Subject: RE: IIS log files, can I have your take on these attacks?
Hi Todd, the machine is patched. I am not however running
the URL Scan filter. But the server is issuing 400 level
error messages, and I cannot
]]
Sent: Wednesday, January 16, 2002 5:08 PM
To: Jim Grossl; [EMAIL PROTECTED]
Subject: Re: IIS log files, can I have your take on these attacks?
Your best idea when posting to this list is to santize the logs. If you
feel funny about posting your IP sir, simply take out the address. A quick
script
security
patches (all patches period for that matter, I'm paranoid).
Jim Grossl
Lee Pesky Learning Center
Boise, Idaho USA
-Original Message-
From: Andrew Blevins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 11:14 AM
To: Jim Grossl
Subject: RE: IIS log files, can I have
Jim,
I see the same log entries all of the time, on most of
my web servers. It is the scanning stages of a Nimda
or Code Red attacks. If you have Microsoft's URL Scan filter
installed, and your IIS server patched (MS has a patch to guard
against folder traversal) you shouldn't have too
much to
, January 16, 2002 11:35 AM
To: Jim Grossl
Subject: RE: IIS log files, can I have your take on these attacks?
yeah...either nimda or code red you can tell from the MSADC and also see
the buffer overflow %5c
so the question is did you patch your server. When you go to MS security and
find the info
Center
Boise, Idaho USA
-Original Message-
From: Todd Williamson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 11:24 AM
To: Jim Grossl; [EMAIL PROTECTED]
Subject: RE: IIS log files, can I have your take on these attacks?
Jim,
I see the same log entries all of the time