RE: NULL.idq scans...

From: McCammon, Keith (
Date: 11/29/01

Subject: RE: NULL.idq scans... 
Date: Thu, 29 Nov 2001 16:52:41 -0500
Message-ID: <>
From: "McCammon, Keith" <>
To: "Patrick Andry" <>, <>

This is a probe to find systems running Index Server, which may or may
not be vulnerable to a buffer overflow, not unlike the one used by
Nimda, CodeRed, etc. This is not an exploit attempt, but merely a
probe, which would likely be followed by an exploit attempt at a later

For info. on the vulnerability, see CERT CA-2001-13 and MS advisory

The exploit details can be found here:


How CodeRed raped the internet:


-----Original Message-----
From: Patrick Andry []
Sent: Thursday, November 29, 2001 4:26 PM
Subject: NULL.idq scans...

I have seen a barrage of requests for null.idq in my server logs, and
want to know what they're looking for. Is this a frontpage exploit?
 There is very limited amount of info on Google, and this is the first
I've seen of it.