Re: suppecious

From: Paul Lynch (paul.lynch@ntlworld.com)
Date: 09/13/02

• Next message: Paul Lynch: "Re: Problems accessing share on different domain"
• Previous message: David Rowe: "Re: Trouble Using SSL Test Certificate on W2k Pro"
• In reply to: Bunhim Dara: "suppecious"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Paul Lynch <paul.lynch@ntlworld.com>
Date: Fri, 13 Sep 2002 09:13:37 +0100

On Fri, 13 Sep 2002 10:10:32 +0700, "Bunhim Dara" <bdara@racha.org.kh>
wrote:

>Hi
>
>Can someone explain me this.
>
>I read in the log file, commonly I see this request
>
>
>/default.ida
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
>90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
>9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
>
>Can anyone tell me what does this will do to my web server?
>
>Thank you
>Dara
>

Dara,

This entry in your IIS log files indicates that a remote machine has
been compromised and is randomly targetting your machine to look for
the same vulnerability. Full details of the vulnerability and how to
patch it are found here :

http://www.cert.org/advisories/CA-2001-19.html

If your server is up to date with security patches then the attack
will have been unsuccessful. The 200 result code doesn't necessarily
mean that the attck was successful, merely that your server responded
to the GET request successfully.

You can check your machine's patch status by using HFNetchk from here:
http://support.microsoft.com/default.aspx?scid=kb;EN-GB;q303215

HTH,

Paul Lynch
MCSE

• Next message: Paul Lynch: "Re: Problems accessing share on different domain"
• Previous message: David Rowe: "Re: Trouble Using SSL Test Certificate on W2k Pro"
• In reply to: Bunhim Dara: "suppecious"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] 04WebServer Multiple Vulnerabilities (CSS, Log File Injection, AUX DoS) ... 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. ... Characters into Log File ... filtering on the request URL before writing it into the log file. ... following HTTP request, when submitted to a vulnerable 04WebServer, will ... (Securiteam) Re: IIS 6 - post problem at port 80 ... The 80 port is open and, the server responds if i do not send a so long ... The httperr as nothing relative to this issue, and the request does not ... appear on the w3svc log file. ... (microsoft.public.windows.server.security) Re: Cannot Empty Clipboard ... call Microsoft and request the patch ... connect to a Windows Server 2003-based server that is running Terminal ... (microsoft.public.windows.server.general) dates in log files? ... I was on my server last night around 10:30, ... the log file were ahead. ... using w2k3server with latest patch and IIS6 with a few websites. ... (microsoft.public.inetserver.iis) [REVS] NTLM HTTP Authentication is Insecure By Design ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ... (Securiteam)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint