This request is an attack which is attempting to exploit one of the known vulnerabilities in some versions of Microsoft's IIS web server software. It's trying to call defauilt.ida with an overly-long request (that's all the X's padding it out) so that it overflows a buffer and the binary code at the end is executed by your web server (that's all of the hex data at the end of the request). If you're keen, you can research to see which specific attack on IIS is being attempted.
If your web server runs IIS, you should check immediately to see whether it's up to date with the latest security patches.
If you don't run IIS -- and your mention of a "Linux guru" indicates that you're probably not -- then this is something which you can safely ignore.
If you don't want to see these requests in your analog reports, then include a line in your configuration file along the lines of "FILEEXCLUDE default.isa".
HTH,
Stil
At 11:18 +1200 8/8/03, Mark Henderson wrote:
I posted yesterday requesting assistance regarding a byte count problem, however it has since come to my attention that it may not be an analog issue. Our Linux guru has suggested that it *may* in fact be viral activity that is generating the problematic lines in the logfiles.
Here is a snippet of the relevant section.....
Mozilla/4.0+(compatible;+grub-client-1.4.3;+Crawl+your+own+stuff+with+http://grub.org)
2003-08-01 06:44:39 202.29.20.137 - 202.50.169.138 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
These x's are a regular occurrence after each reference to default.ida and result in 0 bytes being read. Has anyone seen this before?
regards Mark Henderson Web Designer -------------------------------------------------------- Clive Wilson Computers: http://www.cwc.co.nz Webs2specs: http://www.webs2specs.com ISPNZ: http://www.ispnz.co.nz
Phone: (03) 208 1988
Fax: (03) 208 1989
---------------------------------------------------------
Notice of Confidential Information
The information contained in this electronic mail is CONFIDENTIAL INFORMATION and may be LEGALLY PRIVILEGED, intended only for the individual or entity named above. If you are not the intended recipient, you are hereby notified that the use, dissemination, distribution, or copying of this document is strictly prohibited. If you have received this electronic message in error, please immediately notify us by return or telephone (0064 3 208 1988) and destroy the original message. Thank you
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
| Digest version: http://lists.isite.net/listgate/analog-help-digest/
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
+------------------------------------------------------------------------
-- Stilgherrian <[EMAIL PROTECTED]> Internet, IT and Media Consulting, Sydney, Australia. ABN 25 231 641 421 mobile 0407 623 600 (international +61 407 623 600) fax 02 9516 5630 (international +61 2 9516 5630) +------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | Digest version: http://lists.isite.net/listgate/analog-help-digest/ | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general | List archives: http://www.analog.cx/docs/mailing.html#listarchives +------------------------------------------------------------------------
