[OT] note on security paranoia [wasRe: [oclug]Apache Logs]
Bart Trojanowski
bart-oclug at jukie.net
Wed Oct 30 15:41:47 EST 2002
* Shad Young <shad.young at sympatico.ca> [021030 15:25]:
> > Uh, no. Requests for
> > /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> > are the product of one of the recent worm attacks on IIS. There are many
> > infected boxes still out there spewing this attack around.
> >
>
> Really? Which one would that be? FunLove? Worm.datum?<-- hits large networks
> using MS VXD call to hidden system registry components and only seems to
> want to connect to MS update. This is the only significant one of note
> lately and it does not look like that --^.
>
> Do I really need to point out that most malicious code is disguised as
> legitimate RPC? This is why they are hard to detect. More to the point the
> odds of being hit with a worm like this are very small.
Sure Shad, because it's always a valid pattern when you have 3 '..%5c..'
strings in a URL. It is obvious that this is a .NET extension. But
that would mean that security focus is a collection of idiots since they
provide a script that searches out this pattern and others like it
logging them as possible exploits.
http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.php
B.
--
WebSig: http://www.jukie.net/~bart/sig/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20021030/91f73d16/attachment.bin
More information about the OCLUG
mailing list