Security Incidents mailing list archives
Re: Bad CodeRed request ?
From: Tim Walberg <twalberg () mindspring com>
Date: Mon, 6 Aug 2001 13:26:23 -0500
I've been seeing similar for several days, the first deformation was missing the "GET " at the beginning (i.e. packet began with "/default.ida?....". Now it looks like a few more bytes off the front are missing. Given that this is a malformed HTTP request, I don't think this will have the same effect as the original attack, but there may still be concerns with certain http servers attempting to parse the packet - the parsing problem now hits the method recognition code, rather than the URI parsing code, though. tw On 08/06/2001 13:10 -0300, Rodrigo Barbosa wrote:
Things are getting a little wierd here. I have been getting some malformed coldered requests, like this: 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - I'm hidding the IP of the source for obvious reasons. The point is that i looks like a CodeRed II, but it's missing the begining of the xploit string. Also, this is a HTTP/1.1 request, while regular CRII requests are HTTP/1.0.
-- twalberg () mindspring com
Attachment:
_bin
Description:
Current thread:
- Bad CodeRed request ? Rodrigo Barbosa (Aug 06)
- Re: Bad CodeRed request ? Ryan Russell (Aug 06)
- Re: Bad CodeRed request ? Tim Walberg (Aug 06)
- Re: Bad CodeRed request ? corecode (Aug 06)