Agobot WebDAV exploit crashing patched NT4 IIS

Has anyone else running NT4 & IIS had inetinfo.exe start crashing 
with an access violation recently? This system has been stable for 
years with no downtime except to apply the occasional MS patches.  
But in the last week IIS has crashed 3 times. Looking at tcpdump 
captures at the time of the last 2 crashes reveal a remote machine 
trying to connect to ports 2745, 1025, 3127, 6129,  and 80. 80 is the 
only port that SYN-ACKs and the remote machine responds with an 
50KB exploit starting with "SEARCH /".  Google searches turned up 
info that Agobot scans the listed ports and attempts to exploit the 
WebDAV vulnerability described in MS03-007 which I applied the 
patch for in 6/2003. The server had 3 MS patches applied 4/15/04, it 
crashed on 5/5 and 5/8, on 5/10 I ran windows updates to make 
sure it was fully patched, and it crashed again today, 5/12.
The logs do show other WebDAV exploit attempts that didn't crash 
the server. Tripwire-like utilities don't show any file changes at the 
times of the attacks other then the dr.watson log of the crash so 
apparently the exploit attempts have not succeed.

JonH


_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions