Hosting Provided By

Re: New attack or old Vulnerability Scanner?

From: jac <johann.coulon(at)sulzer.com>
Date: Tue Apr 29 2003 - 16:21:49 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <20030424234343.8177.qmail@www.securityfocus.com>

Hi Mark,

The pattern is the UNICODE Exploit. Depending on the HTTP Response 200 (Success) or 404 (Not Found) you may be affected by this exploit when running a unpatched Version of IIS 4.0/5.0. Have a closer look at your Webserver Logfiles. If you don't see the HTTP Response you may prefer to configure the logfile output with extened logging options for future analysis.

You can take good prevention from this and several other attacks by applying all security patches, using Microsoft's URLScan and do some hardening on your internet server(s).

Johann Coulon

>Received: (qmail 25276 invoked from network); 25 Apr 2003 18:30:44 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id BBDE1A311B; Fri, 25 Apr 2003 12:35:34 -0600 (MDT)
>Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
>List-Help: <mailto:incidents-help@securityfocus.com>
>List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
>Delivered-To: mailing list incidents@securityfocus.com
>Delivered-To: moderator for incidents@securityfocus.com
>Received: (qmail 29971 invoked from network); 24 Apr 2003 23:24:29 -0000
>Date: 24 Apr 2003 23:43:43 -0000

--

>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 


professionals.  

>The two-day Briefings on May 14-15 features 24 top speakers with no 


vendor 

>sales pitches.  Deadline for the best rates is April 25.  Register today 


to 

>ensure your place. http://www.securityfocus.com/BlackHat-incidents 


--

>

>


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. 
http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Received on Tue Apr 29 18:38:35 2003

This message: [ Message body ]
Next message: Justin Pryzby: "Re: New CodeRed strain? -- UPDATE"
In reply to: Mark Embrich: "New attack or old Vulnerability Scanner?"
In reply to Jose Nazario: "Re: Anyone seen this UDP source port 7001 traffic?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT