Security Incidents mailing list archives
Re: Bad CodeRed request ?
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 12:06:07 -0600 (MDT)
On Mon, 6 Aug 2001, Rodrigo Barbosa wrote:
Things are getting a little wierd here. I have been getting some malformed coldered requests, like this: 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - The point is that i looks like a CodeRed II, but it's missing the begining of the xploit string. Also, this is a HTTP/1.1 request, while regular CRII requests are HTTP/1.0.
Meaning it is missing the getsometing.ida? bit. Might be someone's misguided attempt at manual exploitation. Do you have any logs other than the web log? The web logging cuts off the bit following the HTTP/1.0 (or 1.1) I have received truncated versions of CodeRedII, due to the request being cut off in the middle for some reason. Nothing like this, though. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Bad CodeRed request ? Rodrigo Barbosa (Aug 06)
- Re: Bad CodeRed request ? Ryan Russell (Aug 06)
- Re: Bad CodeRed request ? Tim Walberg (Aug 06)
- Re: Bad CodeRed request ? corecode (Aug 06)