RE: New Attack / New Vulnerability?

From: Quarantine (Quarantine@GSCCCA.ORG)
Date: 02/27/02


From: Quarantine <Quarantine@GSCCCA.ORG>
To: "'Sterling Moses'" <sterling@silversoftwareinc.com>, incidents@securityfocus.com
Date: Wed, 27 Feb 2002 14:40:11 -0500

A Google search points to Nimda traffic, and TruSecure actually reported
this specific DLL in their alert from September 19,
2001(http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.
shtml). The DLL is for Microsoft SharePoint Team Server
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/spsdk11/In
tro/overview.asp).

-----Original Message-----
From: Sterling Moses [mailto:sterling@silversoftwareinc.com]
Sent: Wednesday, February 27, 2002 12:11 PM
To: incidents@securityfocus.com
Subject: New Attack / New Vulnerability?

Is there a new vulnerability out?

We monitor hundreds of financial IIS servers and have noticed many requests
for the following:

GET /_vti_bin/owssvr.dll 404

These requests originate from multiple IP addresses, and hit different
machines on
different networks.

Based on the traffic and number of entries I can guess these are not
targeted attacks, but seem to be opportunistic
in nature.

Any information would be helpful.

Sterling.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com