Anyone seen anything like this before:
SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\...
the x## bit goes on forever, clearly trying to exploit a buffer overflow, but i've never seen requests like this before. hope our server isn't vulnerable ;)
Posted by joshua at November 8, 2003 06:58 PMI got the same today.
apache responds with a 414 (Request URI Too Long) so i guess there's no problem.
btw: i'm using MT too.. wonder if that's got something to do with it or just coincidence.
» so sayeth dirk on November 19, 2003 at 04:52 AMThat's an exploit for WebDev. I don't know if it affects Apache's mod_dev or not.
» so sayeth ed on November 19, 2003 at 07:41 PMHey guys,
WebDav exploit for Windows / IIS. If you run IIS, you better patch, *NIX systems are unaffected.
http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf
-joe
» so sayeth Joe LaChapell on November 20, 2003 at 10:42 AMI had the same experience, and have been doing some research.
The person who wrote this exploit is Chinese (the first IP reported was traced to Beijing, and you can download the source code to this exploit too (only don't ask me where, ONE fool with code like this is bad enough!)
what you are seeing is Traditional Chinese character set. Does anyone know what it says? I found that "\xb1" is the character for "east"
Anyhow, everything else said so far is correct. It was written initially to cause some ill effects on the Microsoft ISS service (distributed with Win2K, NT and one or two others).
Laters
~Rog.
~Rog.
» so sayeth Roger Davies on April 11, 2004 at 09:13 AM