Security Basics mailing list archives
Re: unexpected log entries
From: "Jill Tovey" <jill.tovey () bigbluedoor com>
Date: Tue, 10 Dec 2002 07:51:48 -0000
Hi Paolo, This is a log for Code Red which does indeed attempt a buffer over overflow using the idq.dll ISAPI extension mapping vulnerability. Check for the presence of the directory %systemdrive%\notworm, and get the following patch: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Kind Regards, Jill Tovey ----- Original Message ----- From: "Paolo Mattiangeli" <pamatt () centrodiascolto it> To: <security-basics () securityfocus com> Sent: Saturday, December 07, 2002 3:13 PM Subject: unexpected log entries
Hi everybody, I guess maybe someone out there can help me with this. I
have
a w2k server running IIS 5 and keep receiving what I think to be "probes"
on
my web server. Today I found in the log the following entry: 2002-12-07 14:33:32 200.170.226.83 - 192.168.100.7 80 GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - which I guess to be a tentative of buffer overrun on my web server. I have some difficulties to understand what is the matter here, but the thing
that
most worries me is the final "200 - " which in some way could mean that
the
response of the server is positive (in most cases it ist 404 - or 500 -). Could someone help? Thanks and regards pamatt
Current thread:
- unexpected log entries Paolo Mattiangeli (Dec 09)
- Re: unexpected log entries Johannes Ullrich (Dec 09)
- Re: unexpected log entries Jill Tovey (Dec 10)