006
EXH-0062001Fictional reconstruction
.ida
July 2001. IIS 4 and 5 answer a malformed GET to /.ida with a buffer overflow. Within hours the worm is scanning random IPv4 space for TCP 80.
Type
Classic
Difficulty
Intermediate
Era
2000s
Time
8 min
Briefing
You have anonymised IIS W3SVC logs from the first overnight after disclosure. Look for the tell-tale path fragment, the worm probed `GET /default.ida` with an oversized query string.
Your role
Contractor triaging a Fortune-500 extranet the week Code Red made the cover of every trade paper.
Objective
Prove from logs and a stub advisory that the probe traffic matches the .ida overflow pattern, not generic scanning.
Terminal environment
- user
- responder
- host
- win-legacy-log
- cwd
- /var/log/iis-reconstruction
- steps
- 3
Enter the terminalAbout 8 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.