RE: IIS Search Method Overflow being revisted?

From: Levinson, Karl (Karl.Levinson_at_dhs.gov)
Date: 03/25/04

  • Next message: Jay Woody: "Re: IIS Search Method Overflow being revisted?"
    To: 'Rohny Jotton' <rohnyjotton@hotmail.com>, incidents@securityfocus.com
    Date: Thu, 25 Mar 2004 11:25:13 -0500
    
    

    A Google search suggests a possible attempt to exploit the MS03-007 NTDLL
    vulnerability [via WebDAV] from February 2003.

    http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h
    tml
    http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

    Possibly we're seeing an increase of this now due to Agobot / Gaobot /
    Polybot scans, as some variants can exploit this vulnerability. I believe
    new Agobot / Gaobot variants a being discovered sometimes at a rate of
    several per day.

    I would suspect that if you checked your IDS logs or could run Ethereal
    packet captures through an IDS like Snort, the year-old NTDLL signatures
    might help you confirm what this is. Another post I believe in the
    microsoft.public today mentioned a different payload:
    SEARCH /AAAAAAA....

    As you may already know, if you're using IIS 4 or 5, I strongly recommend
    running URLScan and the other security recommendations that are all free
    from www.microsoft.com/technet/security

    - karl

    -----Original Message-----
    From: Rohny Jotton [mailto:rohnyjotton@hotmail.com]
    Sent: Thursday, March 25, 2004 10:45 AM
    To: incidents@securityfocus.com
    Subject: IIS Search Method Overflow being revisted?

    In the last 24 hours, I've logged two instances of "SEARCH
    /....(many more)" on my web
    server from two different networks resulting in a 501 being returned.

    When googling, the only thing I can relate to it is an Overflow attempt from

    2001 (Georgi Guninski).

    I do not see any prior attempts. I just thought inquiring minds ought to
    know...

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Jay Woody: "Re: IIS Search Method Overflow being revisted?"