RE: NULL.idq scans...From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
- Previous message: Mark Thyer: "RE: Cisco "String Signature" oddity..."
- Maybe in reply to: Patrick Andry: "NULL.idq scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: RE: NULL.idq scans... Date: Thu, 29 Nov 2001 16:52:41 -0500 Message-ID: <BB7FD4FF9E440648A731452E5D341FB00FB076@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: "Patrick Andry" <firstname.lastname@example.org>, <email@example.com>
This is a probe to find systems running Index Server, which may or may
not be vulnerable to a buffer overflow, not unlike the one used by
Nimda, CodeRed, etc. This is not an exploit attempt, but merely a
probe, which would likely be followed by an exploit attempt at a later
For info. on the vulnerability, see CERT CA-2001-13 and MS advisory
The exploit details can be found here:
How CodeRed raped the internet:
I have seen a barrage of requests for null.idq in my server logs, and
want to know what they're looking for. Is this a frontpage exploit?
There is very limited amount of info on Google, and this is the first
I've seen of it.