Thanks for your prompt and accurate responses! The 4092 byte mades me suspicious of a new IIS overflow that was not being caught.
The exploit you referenced mentions 296 x A's that rotate to drop the code. That pretty much nails this scenario on the head! Searches to my normal usenet groups and sec groups failed to find this, so I appreciate your help in identifying the possible exploit. We are, or course, patched to this, but it was concerning me! Oliver ---------- Original Message ---------------------------------- From: Thorolf <[EMAIL PROTECTED]> Date: Thu, 29 Apr 2004 16:52:58 +0200 (CEST) >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Hi, > >I have few alerts in 24h, > > >[EMAIL PROTECTED]:ttyp3[log] #grep "194.xx.xx.xx" httpd-access.log >194.xx.xx.xx - - [26/Apr/2004:12:22:36 +0000] "SEARCH >/\x90\x02\xb1\x02\xb1\x0 >2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x0 >... > >It looks like some mutation of worm/virus it use this bug, > >http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx > >Look at this ... >http://seclists.org/lists/incidents/2004/Mar/0107.html > > >Regards, >Rafal Lesniak > >- -- >- - Administrator >- - Run for your lives, death has arrived >- - Try save your soul, run from the sound of rowing oars >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (FreeBSD) > >iQCVAwUBQJEWz+2ijGMJcqkLAQJi4gP+IGTPHBUYU83GIF/uv8nQ1zsLqkxPDeoy >m/SY9oFA1lamAHEHqh4i0F58LWJ40qPCF/RA/Nb+IHygReSSN/EQNnH8Cbzb4A4B >RvIMLuPsqipwSYpzzxILMxhp/Nl8ExlgWQdwS81jL9GKcWkVL7pVQ7w69Zyj6G+D >cL/kdP6VgT0= >=kcOt >-----END PGP SIGNATURE----- > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
