FW: Wierd .ida request? What is it?

From: red0x (red0xat_private)
Date: Sun Sep 02 2001 - 10:42:22 PDT

Next message: Jay D. Dyson: "Re: formmail"

Previous message: Ben Ford: "Re: Strange entries in Apache access_log"
Next in thread: Johannes Segitz: "Re: FW: Wierd .ida request? What is it?"
Reply: Johannes Segitz: "Re: FW: Wierd .ida request? What is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anyone know what this is? A new anti code red?

--red0x


----------  Forwarded Message  ----------
Subject: ACID Incident Report
Date: Mon, 27 Aug 2001 19:27:31 -0700
From: nobody <nobodyat_private-ip.com>
To: red0xat_private


Generated by ACID v0.9.6b12 on Mon August 27, 2001 19:27:29

----------------------------------------------------------------------------
-
- #(3 - 1458) [2001-08-25 02:36:14] [arachNIDS/298]  WEB-MISC http directory
 traversal IPv4: 64.129.66.101 -> 192.168.1.102
      hlen=5 TOS=0 dlen=328 ID=7527 flags=0 offset=0 TTL=48 chksum=59220
TCP:  port=2339 -> dport: 80  flags=***AP*** seq=3435210468
      ack=3333548136 off=8 res=0 win=32120 urp=0 chksum=47223
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=10 data=04E8598301BE66BC4745
Payload:  length = 258

000 : 47 45 54 20 2F 53 63 72 69 70 74 73 2F 72 6F 6F   GET /Scripts/roo
010 : 74 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 2B 70 6C   t.exe?/c+echo+pl
020 : 65 61 73 65 2B 70 61 74 63 68 2B 79 6F 75 72 2B   ease+patch+your+
030 : 73 79 73 74 65 6D 2E 2B 73 65 65 2B 68 74 74 70   system.+see+http
040 : 3A 2F 2F 77 77 77 2E 6D 69 63 72 6F 73 6F 66 74   ://www.microsoft
050 : 2E 63 6F 6D 2F 74 65 63 68 6E 65 74 2F 69 74 73   .com/technet/its
060 : 6F 6C 75 74 69 6F 6E 73 2F 73 65 63 75 72 69 74   olutions/securit
070 : 79 2F 74 6F 70 69 63 73 2F 63 6F 64 65 61 6C 72   y/topics/codealr
080 : 74 2E 61 73 70 3E 2E 2E 5C 2E 2E 5C 44 6F 63 75   t.asp&gt;..\..\Docu
090 : 6D 65 7E 31 5C 41 6C 6C 55 73 65 7E 31 5C 44 65   me~1\AllUse~1\De
0a0 : 73 6B 74 6F 70 5C 59 4F 55 5F 48 41 56 45 5F 54   sktop\YOU_HAVE_T
0b0 : 48 45 5F 43 4F 44 45 5F 52 45 44 5F 57 4F 52 4D   HE_CODE_RED_WORM
0c0 : 2E 54 58 54 20 48 54 54 50 2F 31 2E 30 0D 0A 55   .TXT HTTP/1.0..U
0d0 : 73 65 72 2D 41 67 65 6E 74 3A 20 2D 0D 0A 48 6F   ser-Agent: -..Ho
0e0 : 73 74 3A 20 36 34 2E 31 36 37 2E 32 33 36 2E 36   st: 64.167.236.6
0f0 : 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A   1..Accept: */*..
100 : 0D 0A                                             ..

-------------------------------------------------------

--
--red0x




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jay D. Dyson: "Re: formmail"
Previous message: Ben Ford: "Re: Strange entries in Apache access_log"
Next in thread: Johannes Segitz: "Re: FW: Wierd .ida request? What is it?"
Reply: Johannes Segitz: "Re: FW: Wierd .ida request? What is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 13:36:59 PDT