Re: HTTP break in attempt? (Buffer overrun?)

["Jason Smith" <jvsmith@midamer.net>]

Actually this one is from the Code Red II, it exploits the same
vulnerability that Code Red did except that it leaves a root kit for a back
door.  In your packet below the only difference between the first Code Red
and II is that the author of II decided to use the X's for fill characters
where the original Code Red used N's.  Good thing you have Apache!

Jason

> -----Original Message-----
> From: owner-silug-discuss@silug.org
> [mailto:owner-silug-discuss@silug.org]On Behalf Of SILUG
> Sent: Monday, August 06, 2001 20:04
> To: silug-discuss@silug.org
> Subject: SILUG: HTTP break in attempt? (Buffer overrun?)
>
>
> In my "access_log" file under /var/log/httpd, I find a LOT of lines
> like this:
>
> 24.217.106.237 - - [06/Aug/2001:19:56:13 -0500] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9
> 090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0
> 0c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 280 "-" "-"
>
> Is this someone trying to do some funny "buffer overrun" stuff?
> The IP address
> is not always the same.
>
> I'm wondering if this is the result of some stupid IIS server
> that's been infected by the "Code Red" virus.
>
> There IS a matching entry in the "error_log" file for each try,
> so I don't think anything bad has happened.  Or do I need to
> change something?
>
> Weird.
>
> Charlie Brune
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.