does anyone knows what code is exactly sent by infected IIS?
I tested with :
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
but urlpath_regex denie worked with it, and when requests came from real
infected IIS denie did not work.
so I think in real virus request there are some charackters instead NNNNNN, so
that httpd-logging can't identify them.
I need it for testing different regular expressions, on virus request.(because
infected trafic stoped(I wanted it to stop but now I need it:)))
Received on Wed Aug 08 2001 - 10:05:33 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST