[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Buffer overrun? [MORE]

Subject: Re: [cobalt-developers] Buffer overrun? [MORE]
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Thu Jul 19 07:38:18 2001
List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

On Thu, 19 Jul 2001, shimi wrote:

> 
> On Thu, 19 Jul 2001, Admin @ Adopt A Band.com wrote:
> 
> > I have noticed today an explosion of hacking attempts on the http logs, the
> > attackers (many different source IPs)
> > are sending this string:
> > 
> > GET
> > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> > 
> > to which our RAQ4 answers (luckily) with a 400 not found ...
> > But I guess that today there must have been some explot announced. Anybody
> > knows anything about it? Reasons to be concerned?
> > And, what would an .ida file be?
> > 
> > Alessandro Bologna
> 
> That's a Micro$oft IIS remote SYSTEM bug, found by www.eEye.com. Nothing
> to worry about on Linux based machines.
> 
> - shimi.
> 

MORE

This is probably the "Code-Red" worm that will act on 20/7/2001, trying to
do a Denial of Services attack on www.whitehouse.gov.

This worm  tries to infect many people as possible, and has a permenant
seed for the IP addresses randomization. So expect MORE traffic like that,
and also expect it to come from WEBSERVERS.

It infects only Microsoft webservers who were not patched against the .ida
vulnerability that was found last month in eEye.com. eEYe.com also
analyzer the mentioned "Code-Red" worm and it's effects.

Their current estimation is that very soon, 300,000 machines (or more)
will start sending out 410MB of information each, at interval of 4.5
hours, all directed to port 80 of www.whitehouse.gov. My simple
calculation gives that the website of whitehouse.gov will be dealing with
a permenant attack of 27.3333 TERABYTES of data every hour, what will
possibly make the provider go down, if not some backbones, as that worm
keeps spreading.

You can read all about that in eeye.com.

- shimi.

References:
- Re: [cobalt-developers] Buffer overrun?
  - From: shimi

Prev by Date: [cobalt-developers] Re: Buffer overrun & GET /default.ida
Next by Date: RE: [cobalt-developers] GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
Previous by thread: Re: [cobalt-developers] Buffer overrun?
Next by thread: Re: [cobalt-developers] Buffer overrun?

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index