Security Basics mailing list archives

Re: Strange activity in IIS logs

From: "Craig Janssen" <cjanssen () mail millikin edu>
Date: Fri, 10 Oct 2003 13:36:42 -0500

There were some references to Code Red that I found, but that's probably due to the AAAAAAAAAAAAAAAAAA string.  I have 
never seen a virus that used the SEARCH http command in conjunction with an overlong string, such as what this one 
apparently uses.

I'm pretty sure this is a virus of some kind, I was just curious if anyone else had run into this before.  I didn't 
experience any problems with the server following this activity, so whatever it's trying to exploit it's obviously 
patched against it.

Craig

H Carvey <keydet89 () yahoo com> 10/10/03 05:59AM >>>

In-Reply-To: <sf852434.064 () mail millikin edu>

Has anyone seen anything similar to this in their IIS W3SVC logs?  It
sure looks like a buffer overflow attempt of some kind, but I'm not
familiar with it.  I have googled and SARC'd, and didn't come up with
anything definite:


Ok, but what have you come up with?  Maybe some of the indefinite stuff will give a clue.  Have you tried BugTraq or 
VulnDev?

2003-10-08 09:03:42 <origin IP> - <destination ip> 80 SEARCH
/-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

... and so on...

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|-|0|404_Object_Not_Found 404 -

Almost looks like a different spin on Code Red or Nimda.  Is this a new
virus, or has someone else heard of this?


Interesting.  Doesn't look anything like Nimda...but does look a little like CR.

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Strange activity in IIS logs Craig Janssen (Oct 09)
- <Possible follow-ups>
- Re: Strange activity in IIS logs H Carvey (Oct 10)
- Re: Strange activity in IIS logs Craig Janssen (Oct 10)
- RE: Strange activity in IIS logs Mike Curry (Oct 14)