RE: New Attack / New Vulnerability?

From: Quarantine (Quarantine@GSCCCA.ORG)
Date: 02/27/02

• Previous message: Chris Adams: "Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
• Maybe in reply to: Sterling Moses: "New Attack / New Vulnerability?"
• Next in thread: Darren Young: "RE: Wave of Nimda-like hits this morning?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Quarantine <Quarantine@GSCCCA.ORG>
To: "'Sterling Moses'" <sterling@silversoftwareinc.com>, incidents@securityfocus.com
Date: Wed, 27 Feb 2002 14:40:11 -0500

A Google search points to Nimda traffic, and TruSecure actually reported
this specific DLL in their alert from September 19,
2001(http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.
shtml). The DLL is for Microsoft SharePoint Team Server
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/spsdk11/In
tro/overview.asp).

-----Original Message-----
From: Sterling Moses [mailto:sterling@silversoftwareinc.com]
Sent: Wednesday, February 27, 2002 12:11 PM
To: incidents@securityfocus.com
Subject: New Attack / New Vulnerability?

Is there a new vulnerability out?

We monitor hundreds of financial IIS servers and have noticed many requests
for the following:

GET /_vti_bin/owssvr.dll 404

These requests originate from multiple IP addresses, and hit different
machines on
different networks.

Based on the traffic and number of entries I can guess these are not
targeted attacks, but seem to be opportunistic
in nature.

Any information would be helpful.

Sterling.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Chris Adams: "Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
• Maybe in reply to: Sterling Moses: "New Attack / New Vulnerability?"
• Next in thread: Darren Young: "RE: Wave of Nimda-like hits this morning?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Preventing exploitation with rebasing ... > Every image file, DLL or executable, has an "Image Base" and this base is ... > being "vulnerable" to the buffer overflow vulnerability would have been ... But then another worm uses another DLL so I rebase that one, ... (Bugtraq) Preventing exploitation with rebasing ... Every image file, DLL or executable, has an "Image Base" and this base is ... being "vulnerable" to the buffer overflow vulnerability would have been ... But then another worm uses another DLL so I rebase that one, ... (Bugtraq) Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking ... Windows Script Host DLL Hijacking ... Remote Command Execution Vulnerability ... Reference to Vulnerability Disclosure Policy ... (Full-Disclosure) Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking ... file could lead to remote code execution? ... Windows Script Host DLL Hijacking ... Remote Command Execution Vulnerability ... Reference to Vulnerability Disclosure Policy ... (Full-Disclosure) [Full-disclosure] E-Press ONE Office Suite <= Insecure DLL Hijacking Vulnerability ... E-Press ONE Office Suite application is vulnerable to Insecure DLL ... Hijacking Vulnerability. ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-02