[Dshield] Code red variant?

BarkerJr barkjr at home.com
Thu Jul 26 16:11:26 GMT 2001


Message> length=222&URL=/x.ida&arg=AAA* (with 219 more a's following).
>
> Anyone else seen this or know what it is?

I haven't (just grep'd my two web servers for *ida*), but maybe it's just not widespread
yet.  I did find this log entry though:

216.53.92.98 - - [26/Jul/2001:11:39:43 -0400] "GET /NULL.printer HTTP/1.0" 404 1522 "-"
"-"

I have my web servers email me when they encounter 404 errors.  In my email, the
REQUEST_URI was listed as:




3À°Ø<<@`3Û³$Ãÿà빐1Oj/NUL
L.printer

Maybe they're invisible characters in telnet?  Anyone else seen this?  Should I email an
abuse department?

-BarkerJr




More information about the list mailing list