Forum Moderators: open
Got the following, and traced it to multicarta.vtb.ru;
then got hit again several hours later from 80.133.253.146.
Couldn't get a trace on it though...
It almost looks like formatting code...
Just installed update Q329553: Critical Update (Windows 2000).
Could that have anything to do with it?
These entries can really fill up alog fast!
Thanks in advance...
Animator
2003-04-27 11:47:43 195.151.60.80 - (my IP)SEARCH /ÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎ ...?? .. - 404 1641 -
[edited by: heini at 7:54 pm (utc) on April 28, 2003]
[edit reason] Fixed monstrous sidescroll ;) [/edit]
This was simply an attempt to overrun your server's input buffer, and place code into the area beyond the request input buffer. Another one of the buffer overrun exploits that MS has to issue patches for twice a month...
Jim
Why do you think I haven't seen it before, and why two
attemps in the same day?
(I guess that's two more questions...)
Twice in the same day just means their "potential victim" list may be a short one.
I see the request "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc.)" all the time, and sometimes more than once from the same IP address.
If your server was vulnerable to this type of exploit, you'd know it by now... :o
Jim
<added> Where are my manners? - Welcome to WebmasterWorld [webmasterworld.com]! </added>
