Security Incidents mailing list archives

Bad CodeRed request ?

From: Rodrigo Barbosa <rodrigob () bh conectiva com br>
Date: Mon, 6 Aug 2001 13:10:15 -0300

Things are getting a little wierd here.

I have been getting some malformed coldered requests, like this:

000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] 
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 HTTP/1.1" 400 -

I'm hidding the IP of the source for obvious reasons.

The point is that i looks like a CodeRed II, but it's missing the
begining of the xploit string. Also, this is a HTTP/1.1 request, while
regular CRII requests are HTTP/1.0.

I've got these from 2 hosts now. Multiple times from each of these hosts,
and no regular CRII request from any of them.

Anyone have any idea what this can be ?

[]s

-- 
 Rodrigo Barbosa                   - rodrigob at bh.conectiva.com.br
 Conectiva S/A                     - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodiet?" - http://www.conectiva.com/

Attachment: _bin
Description:

Current thread:

Bad CodeRed request ? Rodrigo Barbosa (Aug 06)
- Re: Bad CodeRed request ? Ryan Russell (Aug 06)
- Re: Bad CodeRed request ? Tim Walberg (Aug 06)
- Re: Bad CodeRed request ? corecode (Aug 06)