Re: Strange activity in IIS logs
From: Craig Janssen (cjanssen_at_mail.millikin.edu)
Date: 10/10/03
- Previous message: Marcos E. Rodriguez: "Re: NASA Security Audit"
- Maybe in reply to: Craig Janssen: "Strange activity in IIS logs"
- Next in thread: Mike Curry: "RE: Strange activity in IIS logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Oct 2003 13:36:42 -0500 To: <security-basics@securityfocus.com>, <keydet89@yahoo.com>
There were some references to Code Red that I found, but that's probably due to the AAAAAAAAAAAAAAAAAA string. I have never seen a virus that used the SEARCH http command in conjunction with an overlong string, such as what this one apparently uses.
I'm pretty sure this is a virus of some kind, I was just curious if anyone else had run into this before. I didn't experience any problems with the server following this activity, so whatever it's trying to exploit it's obviously patched against it.
Craig
>>> H Carvey <keydet89@yahoo.com> 10/10/03 05:59AM >>>
In-Reply-To: <sf852434.064@mail.millikin.edu>
>Has anyone seen anything similar to this in their IIS W3SVC logs? It
>sure looks like a buffer overflow attempt of some kind, but I'm not
>familiar with it. I have googled and SARC'd, and didn't come up with
>anything definite:
Ok, but what have you come up with? Maybe some of the indefinite stuff will give a clue. Have you tried BugTraq or VulnDev?
>2003-10-08 09:03:42 <origin IP> - <destination ip> 80 SEARCH
>/-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>... and so on...
>
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>|-|0|404_Object_Not_Found 404 -
>
>Almost looks like a different spin on Code Red or Nimda. Is this a new
>virus, or has someone else heard of this?
Interesting. Doesn't look anything like Nimda...but does look a little like CR.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Marcos E. Rodriguez: "Re: NASA Security Audit"
- Maybe in reply to: Craig Janssen: "Strange activity in IIS logs"
- Next in thread: Mike Curry: "RE: Strange activity in IIS logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
