Re: Bad CodeRed request ?

[Tim Walberg <twalberg () mindspring com>]

I've been seeing similar for several days, the first deformation
was missing the "GET " at the beginning (i.e. packet began
with "/default.ida?....". Now it looks like a few more bytes off
the front are missing. Given that this is a malformed HTTP request,
I don't think this will have the same effect as the original attack,
but there may still be concerns with certain http servers attempting
to parse the packet - the parsing problem now hits the method recognition
code, rather than the URI parsing code, though.

                                tw


On 08/06/2001 13:10 -0300, Rodrigo Barbosa wrote:
> >      Things are getting a little wierd here.
> >      
> >      I have been getting some malformed coldered requests, like this:
> >      
> >      000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] 
> > "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> >  HTTP/1.1" 400 -
> >      
> >      I'm hidding the IP of the source for obvious reasons.
> >      
> >      The point is that i looks like a CodeRed II, but it's missing the
> >      begining of the xploit string. Also, this is a HTTP/1.1 request, while
> >      regular CRII requests are HTTP/1.0.
> >      



-- 
twalberg () mindspring com

Attachment: _bin
Description: