RE: NULL.idq scans...

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 11/29/01


Subject: RE: NULL.idq scans... 
Date: Thu, 29 Nov 2001 16:52:41 -0500
Message-ID: <BB7FD4FF9E440648A731452E5D341FB00FB076@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "Patrick Andry" <pandry@wolverinefreight.ca>, <focus-ids@securityfocus.com>

This is a probe to find systems running Index Server, which may or may
not be vulnerable to a buffer overflow, not unlike the one used by
Nimda, CodeRed, etc. This is not an exploit attempt, but merely a
probe, which would likely be followed by an exploit attempt at a later
date.

For info. on the vulnerability, see CERT CA-2001-13 and MS advisory
MS01-033.

The exploit details can be found here:

<http://www.eeye.com/html/Research/Advisories/AD20010618.html>

How CodeRed raped the internet:

<http://www.eeye.com/html/Research/Advisories/AL20010717.html>

-----Original Message-----
From: Patrick Andry [mailto:pandry@wolverinefreight.ca]
Sent: Thursday, November 29, 2001 4:26 PM
To: focus-ids@securityfocus.com
Subject: NULL.idq scans...

I have seen a barrage of requests for null.idq in my server logs, and
want to know what they're looking for. Is this a frontpage exploit?
 There is very limited amount of info on Google, and this is the first
I've seen of it.