Re: unexpected log entries

From: Jill Tovey (jill.tovey@bigbluedoor.com)
Date: 12/10/02

  • Next message: Paul.D.Jordan@aib.ie: "AW: XP admin shares"
    From: "Jill Tovey" <jill.tovey@bigbluedoor.com>
    To: "Paolo Mattiangeli" <pamatt@centrodiascolto.it>, <security-basics@securityfocus.com>
    Date: Tue, 10 Dec 2002 07:51:48 -0000
    
    

    Hi Paolo,

    This is a log for Code Red which does indeed attempt a buffer over overflow
    using the idq.dll ISAPI extension mapping vulnerability.

    Check for the presence of the directory %systemdrive%\notworm, and get the
    following patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

    Kind Regards,

    Jill Tovey

    ----- Original Message -----
    From: "Paolo Mattiangeli" <pamatt@centrodiascolto.it>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, December 07, 2002 3:13 PM
    Subject: unexpected log entries

    > Hi everybody, I guess maybe someone out there can help me with this. I
    have
    > a w2k server running IIS 5 and keep receiving what I think to be "probes"
    on
    > my web server. Today I found in the log the following entry:
    >
    > 2002-12-07 14:33:32 200.170.226.83 - 192.168.100.7 80 GET /default.ida
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    >
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
    >
    90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
    > 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
    >
    > which I guess to be a tentative of buffer overrun on my web server. I have
    > some difficulties to understand what is the matter here, but the thing
    that
    > most worries me is the final "200 - " which in some way could mean that
    the
    > response of the server is positive (in most cases it ist 404 - or 500 -).
    > Could someone help?
    >
    > Thanks and regards
    >
    > pamatt
    >