Re: Unicode Logs with Ping Activity

From: myrddin_eat_private
Date: Tue Jul 10 2001 - 11:13:16 PDT

Next message: cg: "27015 probe increase??"

Previous message: Jordan K Wiens: "Re: Unicode Logs with Ping Activity"
Maybe in reply to: myrddin_eat_private: "Unicode Logs with Ping Activity"
Next in thread: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Next in thread: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Reply: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Understood, and thanks for the detailed information. That is what I was 
trying to learn!

Any one have an opinion as to the likelihood of the originating address 
not being spoofed? I counted four unique addresses that used the system 
for ping attacks over the course of 20 days.

DISCLAIMER: NO, this was not my server. YES, I do know that the patch for 
Unicode was released with bulletin MS00-057. YES, I did read the FAQ before 
posting. Geez guys, take pill.

At Tue, 10 Jul 2001 13:05:45 -0400 (EDT), Jordan K Wiens <jwiensat_private> 
wrote:

>
>No, a 502 error is a bad gateway error; what happens is that your iis
>server is unpatched against the unicde exploits (one of them, at least) 
>and
>is executing the command to ping a host.  Just recently there seems 
>to be
>an increase in the number of hackers using vulnerable web servers for 
>ddos
>like behavior using over-sized pings.
>
>When the ping command executes, it runs the pings, however, it (obviously)
>does not return complete html headers as its output (since ping was 
>never
>meant to run via the web, its not supposed to run like a normal web
>executable). IIS notices this, and realizes that the script hasn't
>correctly executed, and lets you know with the 502 error.  If you actually
>look at the page, the results would read something like: "502 error; 
>the
>application has not returned correct headers.  The headers it did return
>are:" and then IIS would procede to show the output of whatever had 
>been
>shown.
>
>The error you want to see once a machine has been fully patched is usually
>a 404 error.
>
>-- 
>Jordan Wiens
>UF Network Incident Response Team
>(352)392-2061
Free, encrypted, secure Web-based email at www.hushmail.com

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.

Next message: cg: "27015 probe increase??"
Previous message: Jordan K Wiens: "Re: Unicode Logs with Ping Activity"
Maybe in reply to: myrddin_eat_private: "Unicode Logs with Ping Activity"
Next in thread: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Next in thread: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Reply: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:24:11 PDT