Security Basics mailing list archives

Re: unexpected log entries

From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Mon, 9 Dec 2002 14:32:13 -0500


looks too me like good old Code Red Version 1.

On Sat, 7 Dec 2002 16:13:11 +0100
"Paolo Mattiangeli" <pamatt () centrodiascolto it> wrote:

Hi everybody, I guess maybe someone out there can help me with this. I
have a w2k server running IIS 5 and keep receiving what I think to be
"probes" on my web server. Today I found in the log the following entry:

2002-12-07 14:33:32 200.170.226.83 - 192.168.100.7 80 GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

which I guess to be a tentative of buffer overrun on my web server. I
have some difficulties to understand what is the matter here, but the
thing that most worries me is the final "200 - " which in some way could
mean that the response of the server is positive (in most cases it ist
404 - or 500 -). Could someone help?

Thanks and regards

pamatt



-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin
Description:

Current thread:

unexpected log entries Paolo Mattiangeli (Dec 09)
- Re: unexpected log entries Johannes Ullrich (Dec 09)
- Re: unexpected log entries Jill Tovey (Dec 10)