Security Basics mailing list archives
RE: Strange activity in IIS logs
From: "Mike Curry" <mikec () gjonas com>
Date: Mon, 13 Oct 2003 08:23:25 -0400
The AAAAAAAAAA string is a well known buffer overflow vulnerability. It's no virus. -----Original Message----- From: Craig Janssen [mailto:cjanssen () mail millikin edu] Sent: October 10, 2003 2:37 PM To: security-basics () securityfocus com; keydet89 () yahoo com Subject: Re: Strange activity in IIS logs There were some references to Code Red that I found, but that's probably due to the AAAAAAAAAAAAAAAAAA string. I have never seen a virus that used the SEARCH http command in conjunction with an overlong string, such as what this one apparently uses. I'm pretty sure this is a virus of some kind, I was just curious if anyone else had run into this before. I didn't experience any problems with the server following this activity, so whatever it's trying to exploit it's obviously patched against it. Craig
H Carvey <keydet89 () yahoo com> 10/10/03 05:59AM >>>
In-Reply-To: <sf852434.064 () mail millikin edu>
Has anyone seen anything similar to this in their IIS W3SVC logs? It sure looks like a buffer overflow attempt of some kind, but I'm not familiar with it. I have googled and SARC'd, and didn't come up with anything definite:
Ok, but what have you come up with? Maybe some of the indefinite stuff will give a clue. Have you tried BugTraq or VulnDev?
2003-10-08 09:03:42 <origin IP> - <destination ip> 80 SEARCH /----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ... and so on... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |-|0|404_Object_Not_Found 404 - Almost looks like a different spin on Code Red or Nimda. Is this a new virus, or has someone else heard of this?
Interesting. Doesn't look anything like Nimda...but does look a little like CR. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange activity in IIS logs Craig Janssen (Oct 09)
- <Possible follow-ups>
- Re: Strange activity in IIS logs H Carvey (Oct 10)
- Re: Strange activity in IIS logs Craig Janssen (Oct 10)
- RE: Strange activity in IIS logs Mike Curry (Oct 14)