Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Also entries with NNNNNNNNNNN...' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Also entries with NNNNNNNNNNN...
Authored by: sjonke on Aug 08, '01 04:59:00PM

I see lots of those XXXXXXXXXXXX... entries, but also some with N........... For example:

66.89.136.70 - - [08/Aug/2001:09:58:02 -0400] "GET /default.ida?NNNNN...[snip]...
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 326

What does that indicate if anything?



[ Reply to This | # ]
Also entries with NNNNNNNNNNN...
Authored by: aarle on Aug 08, '01 06:47:51PM
The entries with NNNNNN instead of XXXXXXXX in them are from the original version of Code Red, which became active again on August 1.

The XXXXXXX entries are of a newer strain of the worm, which apart from using a large number of X's to force the buffer overflow in IIS (instead of N's) doesn't seem different.

As for warning infected parties about their infections: there are so many that it becomes a bit of a chore very soon.
I thought about writing a quick PHP script that parses the IP adres of the server making the request, and then sending a mail message warning of their infection to abuse@the_offending_ip_address but still haven't found the time yet.
It would be trivial to write such a simple script, name it default.ida (the file the Code Red worm tries to access on your server), put it in the server root, and change /etc/httpd/httpd.conf so that ".ida" files will be recognized as PHP files (to make sure the script actually gets executed).


[ Reply to This | # ]