RE: Strange activity in IIS logs

["Mike Curry" <mikec () gjonas com>]

The AAAAAAAAAA string is a well known buffer overflow vulnerability.  It's no virus.


-----Original Message-----
From: Craig Janssen [mailto:cjanssen () mail millikin edu]
Sent: October 10, 2003 2:37 PM
To: security-basics () securityfocus com; keydet89 () yahoo com
Subject: Re: Strange activity in IIS logs


There were some references to Code Red that I found, but that's probably due to the AAAAAAAAAAAAAAAAAA string.  I have 
never seen a virus that used the SEARCH http command in conjunction with an overlong string, such as what this one 
apparently uses.

I'm pretty sure this is a virus of some kind, I was just curious if anyone else had run into this before.  I didn't 
experience any problems with the server following this activity, so whatever it's trying to exploit it's obviously 
patched against it.

Craig

> > > H Carvey <keydet89 () yahoo com> 10/10/03 05:59AM >>>
In-Reply-To: <sf852434.064 () mail millikin edu>


> Has anyone seen anything similar to this in their IIS W3SVC logs?  It
> sure looks like a buffer overflow attempt of some kind, but I'm not
> familiar with it.  I have googled and SARC'd, and didn't come up with
> anything definite:

Ok, but what have you come up with?  Maybe some of the indefinite stuff will give a clue.  Have you tried BugTraq or 
VulnDev?

> 2003-10-08 09:03:42 <origin IP> - <destination ip> 80 SEARCH
> /-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> ... and so on...
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |-|0|404_Object_Not_Found 404 -
>
> Almost looks like a different spin on Code Red or Nimda.  Is this a new
> virus, or has someone else heard of this?

Interesting.  Doesn't look anything like Nimda...but does look a little like CR.

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------