looks too me like good old Code Red Version 1. On Sat, 7 Dec 2002 16:13:11 +0100 "Paolo Mattiangeli" <[EMAIL PROTECTED]> wrote:
> Hi everybody, I guess maybe someone out there can help me with this. I > have a w2k server running IIS 5 and keep receiving what I think to be > "probes" on my web server. Today I found in the log the following entry: > > 2002-12-07 14:33:32 200.170.226.83 - 192.168.100.7 80 GET /default.ida > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > %u90 > 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 > 90%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - > > which I guess to be a tentative of buffer overrun on my web server. I > have some difficulties to understand what is the matter here, but the > thing that most worries me is the final "200 - " which in some way could > mean that the response of the server is positive (in most cases it ist > 404 - or 500 -). Could someone help? > > Thanks and regards > > pamatt > > -- -------------------------------------------------------------------- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
msg10049/pgp00000.pgp
Description: PGP signature