[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200404290835.AA95158566@transientimages.com>
From: root at transientimages.com (Oliver Raymond)
Subject: Exploit Identification Request
Thanks for your prompt and accurate responses!
The 4092 byte mades me suspicious of a new IIS overflow that was
not being caught.
The exploit you referenced mentions 296 x A's that rotate to drop
the code. That pretty much nails this scenario on the head!
Searches to my normal usenet groups and sec groups failed to find
this, so I appreciate your help in identifying the possible
exploit.
We are, or course, patched to this, but it was concerning me!
Oliver
---------- Original Message ----------------------------------
From: Thorolf <thorolf@...d.einherjar.de>
Date: Thu, 29 Apr 2004 16:52:58 +0200 (CEST)
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Hi,
>
>I have few alerts in 24h,
>
>
>[5]-root@...r:ttyp3[log] #grep "194.xx.xx.xx" httpd-access.log
>194.xx.xx.xx - - [26/Apr/2004:12:22:36 +0000] "SEARCH
>/\x90\x02\xb1\x02\xb1\x0
>2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x0
>...
>
>It looks like some mutation of worm/virus it use this bug,
>
>http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
>
>Look at this ...
>http://seclists.org/lists/incidents/2004/Mar/0107.html
>
>
>Regards,
>Rafal Lesniak
>
>- --
>- - Administrator
>- - Run for your lives, death has arrived
>- - Try save your soul, run from the sound of rowing oars
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (FreeBSD)
>
>iQCVAwUBQJEWz+2ijGMJcqkLAQJi4gP+IGTPHBUYU83GIF/uv8nQ1zsLqkxPDeoy
>m/SY9oFA1lamAHEHqh4i0F58LWJ40qPCF/RA/Nb+IHygReSSN/EQNnH8Cbzb4A4B
>RvIMLuPsqipwSYpzzxILMxhp/Nl8ExlgWQdwS81jL9GKcWkVL7pVQ7w69Zyj6G+D
>cL/kdP6VgT0=
>=kcOt
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists