Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Advanced IIS unicode scanning?
From: Gossi The Dog <gossi () owned lab6 com>
Date: Sat, 7 Jul 2001 03:22:37 +0100 (BST)

Spotted this is the snort logs just now..

[**] spp_http_decode: IIS Unicode attack detected [**]
07/06-20:28:42.154535 145.253.21.36:63451 -> 212.158.123.230:80
TCP TTL:49 TOS:0x0 ID:59 IpLen:20 DgmLen:279
***AP*** Seq: 0x3E80FDA  Ack: 0x6FAB9FDD  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 331337 5745821

Few hundred lines of it.  The Ack's are all the same, source ports varies
slightly but not in any sort of order (as in, doesn't look to have come
from a standard Windows box).

Notice the last TCP options line - 331337.

[gossi () owned gossi]$ nslookup 145.253.21.36
Server:  inh1dns02.ims.bt.net
Address:  193.113.185.228

Name:    cache3-1-stg.arcor-ip.net
Address:  145.253.21.36


Possibly just the fingerprint of somebody using a proxy to scan for
the Unicode bug?



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
  • Advanced IIS unicode scanning? Gossi The Dog (Jul 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]