[Dshield] Code Red????

John Groseclose iain at caradoc.org
Sun Aug 5 17:35:10 GMT 2001


At 11:30 AM -0400 8/5/01, Paul Marsh wrote:
>I just found these two in my log file, what are they?
>
>2001-08-05 09:43:17 192.168.1.127 - GET /x.ida
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X 200
>184 257 0 80 - -
>
>2001-08-05 09:45:08 192.168.1.127 - GET /x.ida
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X 200
>184 257 0 80 - -

The only thing that I *know* is using the AAAAAAA signature is the 
eEye Vulnerability Scanner.

Someone's checking to see if your machine is vulnerable to the IIS 
Buffer Overrun, used in Code Red and the sadmind/IIS worm.
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list