Curious HTTP GET commands ...
Drew Taylor
drew at drewtaylor.com
Fri Aug 3 23:00:39 EDT 2001
I'm pretty sure that the .ida files are an IIS thing. But I'm not 100%
sure. I try to stay away from IIS whenever possible. :-)
At 02:00 AM 8/4/01 +0000, John Chambers wrote:
>My apache access_log shows a number of requests starting 19 July, all
>from different IP addresses, that look like:
>
>"GET
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>HTTP/1.0"
>
>It's fairly obvious that something out there is trying to take
>advantage of some soft of buffer overflow, though it doesn't seem to
>be working. It just gets a "Client sent malformed Host header"
>message in the errlog. This doesn't seem to be nearly enough bytes to
>overflow a buffer, anyway, since I've seen valid URLs (with lots of
>form params) that are much longer than this. And it doesn't seem to
>have any effect at all on the apache 1.3.17 that I'm running. But
>maybe it works with some servers. Anyone have any idea what attack
>this might be? What is "default.ida"?
>
>-
>Subcription/unsubscription/info requests: send e-mail with
>"subscribe", "unsubscribe", or "info" on the first line of the
>message body to discuss-request at blu.org (Subject line is ignored).
Drew Taylor
mailto:drew at drewtaylor.com
http://www.drewtaylor.com/
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list