Bad CodeRed request ?

• Previous message: pilot: "scan CodeRed II infected servers"
• Next in thread: Ryan Russell: "Re: Bad CodeRed request ?"
• Reply: Ryan Russell: "Re: Bad CodeRed request ?"
• Reply: Tim Walberg: "Re: Bad CodeRed request ?"
• Reply: corecode: "Re: Bad CodeRed request ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Things are getting a little wierd here.

I have been getting some malformed coldered requests, like this:

000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 -

I'm hidding the IP of the source for obvious reasons.

The point is that i looks like a CodeRed II, but it's missing the
begining of the xploit string. Also, this is a HTTP/1.1 request, while
regular CRII requests are HTTP/1.0.

I've got these from 2 hosts now. Multiple times from each of these hosts,
and no regular CRII request from any of them.

Anyone have any idea what this can be ?

[]s

-- 
 Rodrigo Barbosa                   - rodrigob at bh.conectiva.com.br
 Conectiva S/A			   - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodiet?" - http://www.conectiva.com/

• application/pgp-signature attachment: stored

• Next message: Gary Flynn: "Re: PWS was: CodeRedII attempts from Cable/DSL/dial-ups"
• Previous message: pilot: "scan CodeRed II infected servers"
• Next in thread: Ryan Russell: "Re: Bad CodeRed request ?"
• Reply: Ryan Russell: "Re: Bad CodeRed request ?"
• Reply: Tim Walberg: "Re: Bad CodeRed request ?"
• Reply: corecode: "Re: Bad CodeRed request ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 10:50:16 PDT