[lug] possible intrusion
Calvin Dodge
caldodge at fpcc.net
Thu Jul 19 11:14:19 MDT 2001
On Thu, Jul 19, 2001 at 10:39:24AM -0600, Deva Samartha wrote:
> I am getting a few of these on port 80:
>
> [19/Jul/2001:07:48:26 -0600] "GET /default.ida?NNNNNNNN
> (many more NNN's).....NNNN%u9090%u6858%ucbd3%u7801%u9090%u.....
>
> which looks like buffer overflow intrusion.
>
> Does anyone know more about this?
It appears to be an exploit for IIS version 5.
I found the following snippet at http://black.wiretapped.net/iis.txt
> Other security holes can be used to work out the exact system path to the web directory.
> Requesting any file with the .idc, .ida, .idw or .idw extensions can return the full path, such
> as
> H:\inetpub\wwwroot\hehe.idc not found
> this can be used in conjunction with other holes to locate system files, and to work around the
> system.
Even if this is not the specific exploit being tried against your server, it does seem to be an IIS-only issue. So if you're using Apache you should be OK (I see other IIS exploits once or twice a month on our Apache server).
Calvin
--
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net
More information about the LUG
mailing list