RE: IIS Search Method Overflow being revisted?

• Previous message: Rohny Jotton: "IIS Search Method Overflow being revisted?"
• Maybe in reply to: Rohny Jotton: "IIS Search Method Overflow being revisted?"
• Next in thread: Felipe Moniz de Aragao: "Re: IIS Search Method Overflow being revisted?"
• Reply: Felipe Moniz de Aragao: "Re: IIS Search Method Overflow being revisted?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Rohny Jotton' <rohnyjotton@hotmail.com>, incidents@securityfocus.com
Date: Thu, 25 Mar 2004 11:25:13 -0500

A Google search suggests a possible attempt to exploit the MS03-007 NTDLL
vulnerability [via WebDAV] from February 2003.

http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h
tml
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

Possibly we're seeing an increase of this now due to Agobot / Gaobot /
Polybot scans, as some variants can exploit this vulnerability. I believe
new Agobot / Gaobot variants a being discovered sometimes at a rate of
several per day.

I would suspect that if you checked your IDS logs or could run Ethereal
packet captures through an IDS like Snort, the year-old NTDLL signatures
might help you confirm what this is. Another post I believe in the
microsoft.public today mentioned a different payload:
SEARCH /AAAAAAA....

As you may already know, if you're using IIS 4 or 5, I strongly recommend
running URLScan and the other security recommendations that are all free
from www.microsoft.com/technet/security

- karl

-----Original Message-----
From: Rohny Jotton [mailto:rohnyjotton@hotmail.com]
Sent: Thursday, March 25, 2004 10:45 AM
To: incidents@securityfocus.com
Subject: IIS Search Method Overflow being revisted?

In the last 24 hours, I've logged two instances of "SEARCH
/�����������������������....(many more)" on my web
server from two different networks resulting in a 501 being returned.

When googling, the only thing I can relate to it is an Overflow attempt from

2001 (Georgi Guninski).

I do not see any prior attempts. I just thought inquiring minds ought to
know...

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

• Previous message: Rohny Jotton: "IIS Search Method Overflow being revisted?"
• Maybe in reply to: Rohny Jotton: "IIS Search Method Overflow being revisted?"
• Next in thread: Felipe Moniz de Aragao: "Re: IIS Search Method Overflow being revisted?"
• Reply: Felipe Moniz de Aragao: "Re: IIS Search Method Overflow being revisted?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]