OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ryan Permeh (ryanEEYE.COM)
Date: Tue Apr 24 2001 - 12:50:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    thsi person is attempting to test for overflows.

    Retina uses a technique somewhat like this in it's CHAM functionality, which
    is off by default. if anything worked, you would notice a bunch of error
    messages/dr watson logs in the morning. it's unlikely that random long
    buffers will turn things up against common software, but this functionality
    in CHAM has been known to drop numerous third party software. If there are
    more intellegent entries with strange buffers, something could have been
    turned up, but it tends to be in custom aspects of your server(custom isapi,
    custom handlers, custom header handlers, etc). but, as i said before,
    usually, if anything bad happened(and it's unlikely seeing your described
    config),
    Signed,
    Ryan Permeh
    eEye Digital Security Team
    http://www.eEye.com/Retina -Network Security Scanner
    http://www.eEye.com/Iris -Network Traffic Analyzer

    ----- Original Message -----
    From: "PM Systems - Rick Woehler" <RWoehlerPMSYSCORP.COM>
    To: <FOCUS-MSSECURITYFOCUS.COM>
    Sent: Tuesday, April 24, 2001 8:58 AM
    Subject: Vulnerability scanner run against us

    > We had an attacker run a vulnerability scanner against our NT4.0/IIS 5
    > server last night. Luckily, we're already patched against everything he
    ran
    > and I'm confident he didn't get any access. However, this show up in the
    > web logs from the attacker and I'm not familiar with it. Has anyone seen
    > this before? Is this some type of overflow attempt?
    >
    >
    > -------------------------------------------------------------------------- 

    --
> Address:        xxx.xxx.xxx.xxx (attacker's IP)
> Protocol:       HTTP/1.0
> Date:   Tue Apr 24, 2001
> --------------------------------------------------------------------------
--
>  00:00:33       GET                 0.0K
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> --------------------------------------------------------------------------
--
>
>
>
>
> --------------------------------------------------------------------------
--
> Address:        xxx.xxx.xxx.xxx (attacker's IP)
> Protocol:       HTTP/1.0
> Date:   Tue Apr 24, 2001
> --------------------------------------------------------------------------
--
>  00:00:59       GET                 0.0K
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>  00:01:05       GET                 0.0K
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> --------------------------------------------------------------------------
--
>
>
>
>
>
>
> Rick Woehler
> PM Systems Corporation
> www.pmsyscorp.com
>