Somebody's trying to request this: (adjusted to fit the page)
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a
from my web server (Apache 1.3.17)
Does it look like a standard buffer overflow exploit? Doesn't seem to have caused any harm yet, but this has been tried over and over again.
Philip
--- Philip S Tellis philip.tellis@iname.com wrote:
Somebody's trying to request this: (adjusted to fit the page)
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a
from my web server (Apache 1.3.17)
Does it look like a standard buffer overflow exploit? Doesn't seem to have caused any harm yet, but this has been tried over and over again.
Sure looks like one. Log the IP and complain to the ISP as well as to CAUCE.
Rgds,
Krishnan
__________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
On Jul 19, 2001 at 07:52, S. Krishnan wrote:
--- Philip S Tellis philip.tellis@iname.com wrote:
Somebody's trying to request this: (adjusted to fit the page)
GET
Sure looks like one. Log the IP and complain to the ISP as well as to CAUCE.
Unless it's a DoS, he has no reasonable cause to complain. And why CAUCE?
Sometime on Jul 19, Satya assembled some asciibets to say:
Sure looks like one. Log the IP and complain to the ISP as well as to CAUCE.
Unless it's a DoS, he has no reasonable cause to complain. And why CAUCE?
I don't think a DoS works if a hit happens once in five to twelve hours.
Philip
On Jul 20, 2001 at 01:13, Philip S Tellis wrote:
Sometime on Jul 19, Satya assembled some asciibets to say:
[someone else said:]
Sure looks like one. Log the IP and complain to the ISP as well as to CAUCE.
Unless it's a DoS, he has no reasonable cause to complain. And why CAUCE?
I don't think a DoS works if a hit happens once in five to twelve hours.
Yes, which is why you have no real cause for complaint. The URL is suspicious, but can you complain about a suspicious request based on that particular one? (That is not a rhetorical question.)
And CAUCE has no bearing on this at all. Coalition Against Unsolicited Commercial Email? It's HTTP, not SMTP.
--- Satya satyap@satya.virtualave.net wrote:
On Jul 20, 2001 at 01:13, Philip S Tellis wrote:
Sometime on Jul 19, Satya assembled some asciibets
to say: [someone else said:]
Sure looks like one. Log the IP and complain to
the
ISP as well as to CAUCE.
Unless it's a DoS, he has no reasonable cause to
complain. And why
CAUCE?
I don't think a DoS works if a hit happens once in
five to twelve hours.
Maybe you ought to read up on the differences between buffer overflows and DoS attacks.:-)
Yes, which is why you have no real cause for complaint. The URL is suspicious, but can you complain about a suspicious request based on that particular one? (That is not a rhetorical question.)
If someone hits my server with oversized packets designed to cause a buffer overflow, I would most definitely regards it as a cause for complaint. DoS has nothing to do with this stuff, since here the attacker is trying to compromise the HTTP server process by causing a buffer overrun and dropping into a system shell. There is IMO legitimate cause for a complaint to the originating ISP, since they will then presumably put the attacker under watch. This just might serve as a deterrent to future attacks.
And CAUCE has no bearing on this at all. Coalition Against Unsolicited Commercial Email? It's HTTP, not SMTP.
Quite.
Krishnan
__________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Sometime on Jul 19, S. Krishnan assembled some asciibets to say:
have caused any harm yet, but this has been tried over and over again.
Sure looks like one. Log the IP and complain to the ISP as well as to CAUCE.
The IP is either being spoofed or it's coming from six different places (I mean completely different - 206, 193, 194, 61, 63, 207). Also, it's been detected as the Red.ida worm, on bugtraq. All IIS versions are vulnerable, apache is not. It's most likely that these hits are coming from an infected machine, not from the originator.
Philip
--- Philip S Tellis philip.tellis@iname.com wrote:
The IP is either being spoofed or it's coming from six different places (I mean completely different - 206, 193, 194, 61, 63, 207). Also, it's been detected as the Red.ida worm, on bugtraq. All IIS versions are vulnerable, apache is not. It's most likely that these hits are coming from an infected machine, not from the originator.
Could it be a series of bot attacks from trojan'ed machines?
Krishnan
__________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Hi, Can somebody lend me a REDHAT 6.2 CD for a day. Anywhere around Bandra 9w0 or Town side. Help appreciated. Sandeep
Sometime Today, S. Krishnan assembled some asciibets to say:
these hits are coming from an infected machine, not from the originator.
Could it be a series of bot attacks from trojan'ed machines?
Yes. Today, all infected machines will perform a synchronised hit on the whitehouse.
Philip
On Jul 19, 2001 at 18:47, Philip S Tellis wrote:
Somebody's trying to request this: (adjusted to fit the page)
from my web server (Apache 1.3.17)
Does it look like a standard buffer overflow exploit? Doesn't seem to have caused any harm yet, but this has been tried over and over again.
Looks like one. Given "default.ida", I suspect it's not meant for Apache and some kiddie is using a script. Expect worse (always).
Philip S Tellis [Thu, Jul 19, 2001 at 06:47:04PM +0530]:
Somebody's trying to request this: (adjusted to fit the page)
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a
from my web server (Apache 1.3.17)
Does it look like a standard buffer overflow exploit? Doesn't seem to have caused any harm yet, but this has been tried over and over again.
Its the Code Red ida worm. affects IIS and is supposed to DoS www.whitehouse.gov after the 20th of the month. Check the link from /.
Sharukh.