I've been seeing similar for several days, the first deformation was missing the "GET " at the beginning (i.e. packet began with "/default.ida?....". Now it looks like a few more bytes off the front are missing. Given that this is a malformed HTTP request, I don't think this will have the same effect as the original attack, but there may still be concerns with certain http servers attempting to parse the packet - the parsing problem now hits the method recognition code, rather than the URI parsing code, though. tw On 08/06/2001 13:10 -0300, Rodrigo Barbosa wrote: >> Things are getting a little wierd here. >> >> I have been getting some malformed coldered requests, like this: >> >> 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - >> >> I'm hidding the IP of the source for obvious reasons. >> >> The point is that i looks like a CodeRed II, but it's missing the >> begining of the xploit string. Also, this is a HTTP/1.1 request, while >> regular CRII requests are HTTP/1.0. >> -- twalbergat_private
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:36:29 PDT