Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

Links

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Navigation

Page Summary

Most Popular Tags

Expand Cut Tags

No cut tags

New attack, possibly against IIS?

unixronin: Galen the technomage, from Babylon 5: Crusade (Techno)
[personal profile] unixronin
Monday, April 26th, 2004 02:34 am

I was just reviewing my log files and found a bunch of these .....

  • error log contains:  [Thu Apr 22 17:07:12 2004] [error] [client 61.152.210.36] request failed: URI too long
  • request log contains:  d60-65-155-212.col.wideopenwest.com - - [21/Apr/2004:01:26:44 -0400] "SEARCH /\x90 [about 8k of repeated \x02\xb1] [about 24k of \x90]" 414 383 "-" " -"

My best guess is this is a probe looking for vulnerable systems which, when identified, will then be targeted with a serious attack.  And just taking a wild-ass guess, my guess is it's trying for a buffer overflow in -- going out on a limb here (NOT!) -- IIS.



Go away, kid, ya bother me.

  • Current Mood: irritated
  • Current Music: Front 242 :::: 05:22:09:12 Off :::: Junkdrome   [ddj]
Flat | Top-Level Comments Only

ext_3294: Tux (Default)
[identity profile] technoshaman.livejournal.com
Monday, April 26th, 2004 07:01 am (UTC)
The same damn host? Or a bunch of different ones? And are you faking the hostname (i.e. is that really Qworst?)

But, yeah, now you see why "software monoculture" is a plague of the caliber seen by the Hebrews when they were in Egypt....

ext_85396: (Default)
[identity profile] unixronin.livejournal.com
Monday, April 26th, 2004 11:33 am (UTC)
Different hosts on each attempt, so I'm assuming it's either a worm or some kiddiescript looking for vulnerable systems. And no, I'm not sparing the provider's blushes, that's the actual host.

(What do you mean, "NOW you see...."?)  :)
Flat | Top-Level Comments Only