[unisog] /default.ida attack?

Jeff Anderson-Lee jonah at galaxy.CS.Berkeley.EDU
Thu Jul 19 22:21:33 GMT 2001


It's the "Code Red" worm (aka .ida worm).  Here is an article from BugTraq:

http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-07-21&list=1%3flist%3d1&mid=197427&start=2001-07-15&threads=0&------

It target a recently discovered (June 18) buffer overflow bug in MS IIS
servers.  There is a HotFix available:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp eEye Digital Security Advisory

Jeff

Re:
 :From:  Peter Ruprecht <ruprech at jilau1.Colorado.EDU>
 :To:  unisog at sans.org
 :Subject:  [unisog] /default.ida attack?
 :Date:  Thu, 19 Jul 2001 13:24:27 -0600 (MDT)
 :
 :
 :Hi everyone,
 :
 :Recently, I've been seeing a lot of action in my httpd logs involving
 :requests like:
 :
 :"GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 :NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 :NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 :NNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
 :%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTT
 :P/1.0"
 :
 :Any idea what they're going after?  (Mainly the clients seem to be 
 :dialup or home broadband addresses.)
 :
 :Thanks,
 :Peter
 :
 :- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 :Peter Ruprecht                  Professional Research Asst. - Computing
 :JILA, Room S220                 phone: (303) 492-8255
 :University of Colorado-Boulder  fax: (303) 492-5235
 :440 UCB                         email: Peter.Ruprecht at jila.colorado.edu
 :Boulder, CO 80309-0440          http://jilawww.colorado.edu/~ruprech
 :
 :



More information about the unisog mailing list