[Snort-sigs] SID 1243
rwagner at ...447...
Tue Mar 19 08:19:14 EST 2002
I am not sure if this has been corrected. The website
http://www.snort.org/snort-db/sid.html?id=1243 showed this as complete, but
there isn't any detailed information listed. I guess it is MIA?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida
attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243;
An attempt was made to see if the system has the idq.dll file
vulnerability of IIS servers.
This technique may be part of a Code Red virus attack or a buffer overflow
attempt. If this file is available, then your system may be fully
A packet is sent to the server like:
126.96.36.199 - - [17/Mar/2002:06:19:38 -0600] "GET
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329 "-" "-"
The server will then respond with: "File . Error 0x80040e14 caught while
processing query" if this the system is patched and "The IDQ file
NULL.ida could not be found" if the vulnerability exists.
This can occur as part of the Code Red virus or a system recon.
Ease of Attack:
Easy. This can be done straight through any web browser.
Only if you are intentionally running idq.dll. This also checks for a
minimum length of 239.
Obtain the latest Microsoft IIS system patches and lockdown tools.
More information about the Snort-sigs