On Mon, 6 Aug 2001, Rodrigo Barbosa wrote: > Things are getting a little wierd here. > > I have been getting some malformed coldered requests, like this: > > 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - > > The point is that i looks like a CodeRed II, but it's missing the > begining of the xploit string. Also, this is a HTTP/1.1 request, while > regular CRII requests are HTTP/1.0. Meaning it is missing the getsometing.ida? bit. Might be someone's misguided attempt at manual exploitation. Do you have any logs other than the web log? The web logging cuts off the bit following the HTTP/1.0 (or 1.1) I have received truncated versions of CodeRedII, due to the request being cut off in the middle for some reason. Nothing like this, though. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:31:01 PDT