Security Basics mailing list archives
Re: Strange activity in IIS logs
From: "Craig Janssen" <cjanssen () mail millikin edu>
Date: Fri, 10 Oct 2003 13:36:42 -0500
There were some references to Code Red that I found, but that's probably due to the AAAAAAAAAAAAAAAAAA string. I have never seen a virus that used the SEARCH http command in conjunction with an overlong string, such as what this one apparently uses. I'm pretty sure this is a virus of some kind, I was just curious if anyone else had run into this before. I didn't experience any problems with the server following this activity, so whatever it's trying to exploit it's obviously patched against it. Craig
H Carvey <keydet89 () yahoo com> 10/10/03 05:59AM >>>
In-Reply-To: <sf852434.064 () mail millikin edu>
Has anyone seen anything similar to this in their IIS W3SVC logs? It sure looks like a buffer overflow attempt of some kind, but I'm not familiar with it. I have googled and SARC'd, and didn't come up with anything definite:
Ok, but what have you come up with? Maybe some of the indefinite stuff will give a clue. Have you tried BugTraq or VulnDev?
2003-10-08 09:03:42 <origin IP> - <destination ip> 80 SEARCH /----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ... and so on... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |-|0|404_Object_Not_Found 404 - Almost looks like a different spin on Code Red or Nimda. Is this a new virus, or has someone else heard of this?
Interesting. Doesn't look anything like Nimda...but does look a little like CR. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange activity in IIS logs Craig Janssen (Oct 09)
- <Possible follow-ups>
- Re: Strange activity in IIS logs H Carvey (Oct 10)
- Re: Strange activity in IIS logs Craig Janssen (Oct 10)
- RE: Strange activity in IIS logs Mike Curry (Oct 14)