Things are getting a little wierd here. I have been getting some malformed coldered requests, like this: 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - I'm hidding the IP of the source for obvious reasons. The point is that i looks like a CodeRed II, but it's missing the begining of the xploit string. Also, this is a HTTP/1.1 request, while regular CRII requests are HTTP/1.0. I've got these from 2 hosts now. Multiple times from each of these hosts, and no regular CRII request from any of them. Anyone have any idea what this can be ? []s -- Rodrigo Barbosa - rodrigob at bh.conectiva.com.br Conectiva S/A - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodiet?" - http://www.conectiva.com/
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 10:50:16 PDT