This is documented in a May 1, 2001 Microsoft Security Bulletin MS01-023, see:

  "Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server".
  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-023.asp

  "Remote IIS ISAPI Printer Extension Buffer Overflow"
  http://xforce.iss.net/alerts/advise75.php#list

  The Snort IDS has a check for this called:

        IDS533/web-iis_http-iis5-printer-isapi

- H. Morrow Long

  Originally posted: May 01, 2001

Gabor Tokaji wrote:
>
> does anybody know of a new worm taking rounds out there? I keep getting
>
> 2001-08-23 16:37:51 x.x.x.x - x.x.x.x 80 GET /NULL.printer - 404 -
>
> requests more and more often. It begun a couple of days ago. All machines
> sending these to mine are win2k machines. doesn't look like kids probing -
> it looks more organized.
>
> G.
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]