Security Incidents mailing list archives

Re: Bad CodeRed request ?

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 12:06:07 -0600 (MDT)

On Mon, 6 Aug 2001, Rodrigo Barbosa wrote:

Things are getting a little wierd here.

I have been getting some malformed coldered requests, like this:

000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] 
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 HTTP/1.1" 400 -

The point is that i looks like a CodeRed II, but it's missing the
begining of the xploit string. Also, this is a HTTP/1.1 request, while
regular CRII requests are HTTP/1.0.


Meaning it is missing the getsometing.ida? bit.  Might be someone's
misguided attempt at manual exploitation.  Do you have any logs other than
the web log?  The web logging cuts off the bit following the HTTP/1.0 (or
1.1)

I have received truncated versions of CodeRedII, due to the request being
cut off in the middle for some reason.  Nothing like this, though.

                                                Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Bad CodeRed request ? Rodrigo Barbosa (Aug 06)
- Re: Bad CodeRed request ? Ryan Russell (Aug 06)
- Re: Bad CodeRed request ? Tim Walberg (Aug 06)
- Re: Bad CodeRed request ? corecode (Aug 06)