[lug] possible intrusion
D. Stimits
stimits at idcomm.com
Thu Jul 19 11:37:28 MDT 2001
Deva Samartha wrote:
>
> I am getting a few of these on port 80:
>
> [19/Jul/2001:07:48:26 -0600] "GET /default.ida?NNNNNNNN
> (many more NNN's).....NNNN%u9090%u6858%ucbd3%u7801%u9090%u.....
>
> which looks like buffer overflow intrusion.
>
> Does anyone know more about this?
>
> thanks,
>
> Samartha
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
This may be of interest:
http://www.astalavista.com/exploits/iis/buffer2.shtml
http://www.eeye.com/html/Research/Advisories/AD20010618.html
http://www.bhs.silesianet.pl/html/overflow_in_6.0.htm
My guess is they are looking for MS IIS servers to root. If you are
running any MS machines there with unpatched web server, they are
probably gone.
D. Stimits, stimits at idcomm.com
More information about the LUG
mailing list