"Tim Hammerquist" <penryu.RemoveThis@saiyix.ath.cx> wrote:
> According to a google search, the former is an IIS WebDAV
> exploit, apparently of the buffer overflow variety.
>
I thought for a moment that someone connected via FrontPage,
although the 414 error number threw me for a loop. I tried to
connect via FrontPage myself to see what kind of responses I
get and it just fed the html code to FrontPage without asking
for a password, which seems to be the typical ways for Front-
Page when using FrontPage to connect to sites that don't have
FrontPage extensions installed.
Thanks for the link.
> The second is probably just testing for the existence of an
> exploitable DLL on a poorly configured IIS system.
Whoever it is runs http which appears to throw up an IE 404
page with some kind of javascript code that appears to be
employing some kind of shdocvw.dll exploit... (maybe). I'm
going to go to another newsgroup and post the stuff there to
see what those guys might suggest.
> The fact that they're both from the same source IP would imply
> the host in question is simply running a battery of possible
> exploits against your server, though the user may not be
> aware that his PC is being used this way.
It's interesting to note that the attacking system is only three hops
away and that the system has three open ports. I didn't bother
scanning anything past port 127 (catching HTTP FTP and SMTP
was enough for me). And the corresponding IE 404 page while
using Firefox doesn't fit. The IP address in the previous post
should not be contacted via HTTP unless you know what your
doing. My apologies for posting that IP address.
Thanks, Tim.
Jim Carlock
Post replies to the newsgroup.
FAQ
Profile
Private Messages
Log in
