RE: New Attack / New Vulnerability?

From: Quarantine (Quarantine@GSCCCA.ORG)
Date: 02/27/02

Previous message: Chris Adams: "Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
Maybe in reply to: Sterling Moses: "New Attack / New Vulnerability?"
Next in thread: Darren Young: "RE: Wave of Nimda-like hits this morning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Quarantine <Quarantine@GSCCCA.ORG>
To: "'Sterling Moses'" <sterling@silversoftwareinc.com>, incidents@securityfocus.com
Date: Wed, 27 Feb 2002 14:40:11 -0500

A Google search points to Nimda traffic, and TruSecure actually reported
this specific DLL in their alert from September 19,
2001(http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.
shtml). The DLL is for Microsoft SharePoint Team Server
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/spsdk11/In
tro/overview.asp).

-----Original Message-----
From: Sterling Moses [mailto:sterling@silversoftwareinc.com]
Sent: Wednesday, February 27, 2002 12:11 PM
To: incidents@securityfocus.com
Subject: New Attack / New Vulnerability?

Is there a new vulnerability out?

We monitor hundreds of financial IIS servers and have noticed many requests
for the following:

GET /_vti_bin/owssvr.dll 404

These requests originate from multiple IP addresses, and hit different
machines on
different networks.

Based on the traffic and number of entries I can guess these are not
targeted attacks, but seem to be opportunistic
in nature.

Any information would be helpful.

Sterling.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Chris Adams: "Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
Maybe in reply to: Sterling Moses: "New Attack / New Vulnerability?"
Next in thread: Darren Young: "RE: Wave of Nimda-like hits this morning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Preventing exploitation with rebasing
... > Every image file, DLL or executable, has an "Image Base" and this base is ... > being "vulnerable" to the buffer overflow vulnerability would have been ... But then another worm uses another DLL so I rebase that one, ...
(Bugtraq)
Preventing exploitation with rebasing
... Every image file, DLL or executable, has an "Image Base" and this base is ... being "vulnerable" to the buffer overflow vulnerability would have been ... But then another worm uses another DLL so I rebase that one, ...
(Bugtraq)
Re: MS (in)security warning
... I've unregistered the dll ... >Art, did you see the speculation that gdi32.dll was the real culprit? ... Win 2K Pro for some unknown reason. ... >Going back to the wmf vulnerability itself, ...
(alt.comp.anti-virus)
Re: .NET Framework v1.1 and MS04-028
... Download the GDISCAN.exe from Inernet Storm Center ... download teh GDI+ packaged exe from microsoft windows update (I download it ... unpack the file somewhere - it should contain two TXT files and one DLL ... > Is there a simple fix available to answer JPEG/GDI vulnerability? ...
(microsoft.public.security)
Re: MS (in)security warning
... >no vulnerability? ... Well, one of my machines is Win ME, and it definitely has that dll ... So does my Win 2K Pro. ... I've unregistered the dll and I've ...
(alt.comp.anti-virus)