Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Advanced IIS unicode scanning?

From: Gossi The Dog <gossi () owned lab6 com>
Date: Sat, 7 Jul 2001 03:22:37 +0100 (BST)

Spotted this is the snort logs just now..

[**] spp_http_decode: IIS Unicode attack detected [**]
07/06-20:28:42.154535 145.253.21.36:63451 -> 212.158.123.230:80
TCP TTL:49 TOS:0x0 ID:59 IpLen:20 DgmLen:279
***AP*** Seq: 0x3E80FDA  Ack: 0x6FAB9FDD  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 331337 5745821

Few hundred lines of it.  The Ack's are all the same, source ports varies
slightly but not in any sort of order (as in, doesn't look to have come
from a standard Windows box).

Notice the last TCP options line - 331337.

[gossi@owned gossi]$ nslookup 145.253.21.36
Server:  inh1dns02.ims.bt.net
Address:  193.113.185.228

Name:    cache3-1-stg.arcor-ip.net
Address:  145.253.21.36


Possibly just the fingerprint of somebody using a proxy to scan for
the Unicode bug?



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: