given that IIS itself crashes whilst parsing the bogous codeRed request, and that the problem lies in the query itself, the two things to verify are: 1- this is either an .ida or .idq file call 2- the request itself is too long as a matter of fact, you ought to verify .ida .idq plus the request itself. However, this should be ancient history by now, given that once patched, you should not care anymore about this exploit. Try to focus on what's next: long requests with lots of AAAA, XXX, NNN, whatsoever. > -----Original Message----- > From: Tina Bird [SMTP:tbird@precision-guesswork.com] > Sent: Friday, 10. August 2001 22:03 > To: loganalysisat_private > Subject: strings associated with code red and variants (fwd) > > > Things to look for in your Web server logs: > > 'default' may return too much. I usually use it with 'default.ida' and > 'default.idq'. > > default > ida > idq > root\.exe > cmd\.exe > code red > codered > eeye > worm > overflow > whitehouse\.gov > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:01:58 PDT