Re: unexpected log entries
From: Jill Tovey (firstname.lastname@example.org)
- Previous message: Jacob McMaster: "RE: WLAN Sniffer"
- In reply to: Paolo Mattiangeli: "unexpected log entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jill Tovey" <email@example.com> To: "Paolo Mattiangeli" <firstname.lastname@example.org>, <email@example.com> Date: Tue, 10 Dec 2002 07:51:48 -0000
This is a log for Code Red which does indeed attempt a buffer over overflow
using the idq.dll ISAPI extension mapping vulnerability.
Check for the presence of the directory %systemdrive%\notworm, and get the
> Hi everybody, I guess maybe someone out there can help me with this. I
> a w2k server running IIS 5 and keep receiving what I think to be "probes"
> my web server. Today I found in the log the following entry:
> 2002-12-07 14:33:32 188.8.131.52 - 192.168.100.7 80 GET /default.ida
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
> which I guess to be a tentative of buffer overrun on my web server. I have
> some difficulties to understand what is the matter here, but the thing
> most worries me is the final "200 - " which in some way could mean that
> response of the server is positive (in most cases it ist 404 - or 500 -).
> Could someone help?
> Thanks and regards