RE: NULL.idq scans...
From: McCammon, Keith (Keith.McCammon@eadvancemed.com)Date: 11/29/01
- Previous message: Mark Thyer: "RE: Cisco "String Signature" oddity..."
- Maybe in reply to: Patrick Andry: "NULL.idq scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: RE: NULL.idq scans... Date: Thu, 29 Nov 2001 16:52:41 -0500 Message-ID: <BB7FD4FF9E440648A731452E5D341FB00FB076@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: "Patrick Andry" <pandry@wolverinefreight.ca>, <focus-ids@securityfocus.com>
This is a probe to find systems running Index Server, which may or may
not be vulnerable to a buffer overflow, not unlike the one used by
Nimda, CodeRed, etc. This is not an exploit attempt, but merely a
probe, which would likely be followed by an exploit attempt at a later
date.
For info. on the vulnerability, see CERT CA-2001-13 and MS advisory
MS01-033.
The exploit details can be found here:
<http://www.eeye.com/html/Research/Advisories/AD20010618.html>
How CodeRed raped the internet:
<http://www.eeye.com/html/Research/Advisories/AL20010717.html>
-----Original Message-----
From: Patrick Andry [mailto:pandry@wolverinefreight.ca]
Sent: Thursday, November 29, 2001 4:26 PM
To: focus-ids@securityfocus.com
Subject: NULL.idq scans...
I have seen a barrage of requests for null.idq in my server logs, and
want to know what they're looking for. Is this a frontpage exploit?
There is very limited amount of info on Google, and this is the first
I've seen of it.
- Previous message: Mark Thyer: "RE: Cisco "String Signature" oddity..."
- Maybe in reply to: Patrick Andry: "NULL.idq scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
