|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tim Walberg (twalberg
mindspring.com)Date: Mon Aug 06 2001 - 13:26:23 CDT
I've been seeing similar for several days, the first deformation
was missing the "GET " at the beginning (i.e. packet began
with "/default.ida?....". Now it looks like a few more bytes off
the front are missing. Given that this is a malformed HTTP request,
I don't think this will have the same effect as the original attack,
but there may still be concerns with certain http servers attempting
to parse the packet - the parsing problem now hits the method recognition
code, rather than the URI parsing code, though.
tw
On 08/06/2001 13:10 -0300, Rodrigo Barbosa wrote:
>> Things are getting a little wierd here.
>>
>> I have been getting some malformed coldered requests, like this:
>>
>> 000.000.000.000 - - [06/Aug/2001:13:06:27 -0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 -
>>
>> I'm hidding the IP of the source for obvious reasons.
>>
>> The point is that i looks like a CodeRed II, but it's missing the
>> begining of the xploit string. Also, this is a HTTP/1.1 request, while
>> regular CRII requests are HTTP/1.0.
>>
-- twalberg
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i
iQA/AwUBO27hTcPlnI9tqyVmEQKifACgjpEtXNcVm2YWBSAtIB4pfMBEL9QAoNYs 6xUrMI6+vvV7YaEeJ4b93THH =OZwA -----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]