Curious HTTP GET commands ...

Drew Taylor drew at drewtaylor.com
Fri Aug 3 23:00:39 EDT 2001


I'm pretty sure that the .ida files are an IIS thing. But I'm not 100% 
sure. I try to stay away from IIS whenever possible. :-)

At 02:00 AM 8/4/01 +0000, John Chambers wrote:
>My apache access_log shows a number of requests starting 19 July, all
>from different IP addresses, that look like:
>
>"GET 
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
>HTTP/1.0"
>
>It's fairly obvious that  something  out  there  is  trying  to  take
>advantage  of some soft of buffer overflow, though it doesn't seem to
>be working.  It just gets  a  "Client  sent  malformed  Host  header"
>message in the errlog. This doesn't seem to be nearly enough bytes to
>overflow a buffer, anyway, since I've seen valid URLs (with  lots  of
>form  params) that are much longer than this.  And it doesn't seem to
>have any effect at all on the apache 1.3.17 that  I'm  running.   But
>maybe  it  works with some servers.  Anyone have any idea what attack
>this might be?  What is "default.ida"?
>
>-
>Subcription/unsubscription/info requests: send e-mail with
>"subscribe", "unsubscribe", or "info" on the first line of the
>message body to discuss-request at blu.org (Subject line is ignored).

Drew Taylor
mailto:drew at drewtaylor.com
http://www.drewtaylor.com/

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list