From owner-freebsd-security  Thu Aug  9  3:35:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from eve.framatome.fr (eve.framatome.fr [195.101.50.66])
	by hub.freebsd.org (Postfix) with ESMTP id DE1AF37B405
	for <freebsd-security@FreeBSD.ORG>; Thu,  9 Aug 2001 03:35:30 -0700 (PDT)
	(envelope-from ubc@paris.framatome.fr)
Received: from localhost (ubc@localhost)
	by eve.framatome.fr (8.11.3/8.11.2) with ESMTP id f79AZLF04237;
	Thu, 9 Aug 2001 12:35:21 +0200 (CEST)
	(envelope-from ubc@eve.framatome.fr)
Date: Thu, 9 Aug 2001 12:35:21 +0200 (CEST)
From: Claude Buisson <ubc@paris.framatome.fr>
To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
Cc: Robin Smith <rasmith@aristotle.tamu.edu>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re[2]: should I concerned?
In-Reply-To: <7690233759.20010809142523@internethelp.ru>
Message-ID: <20010809123052.U4026-100000@eve.framatome.fr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Thu, 9 Aug 2001, Nickolay A.Kritsky wrote:

> Hello Robin,
>
> Thursday, August 09, 2001, 5:34:34 AM, you wrote:
>
> >>>>>> "faSty" == faSty  <fasty@i-sphere.com> writes:
>
> RS>     faSty> Hi guys, I noticed the httpd's log (errors and access),
> RS>     faSty> someone tried expliot the security hole on apache webserver
> RS>     faSty> and I dont know what this is.
>
> RS>     faSty> my webserver apache version is
>
> RS>     faSty> Server version: Apache/1.3.19 (Unix) Server built: May 17
> RS>     faSty> 2001 20:14:06
>
> RS>     faSty> [08/Aug/2001:14:39:03 -0700]
> RS>     faSty>
> RS> "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>
> RS> Relax: this is Code Red's signature (though the filler is X instead of
> RS> N: is this Son of Code Red?).  You're running apache, not IIS.
>
> I have thought that Code Red exploit string must begin with
> "/default.idq"
> Was I wrong?
>

I have seen a few of these starting from August 6, amidst a flow of
"standard" GET /default.ida?NNNNNNNN... and GET /default.ida?XXXXXXX...
Is Code Red II bugged ?


> RS> Robin Smith
>
> RS> To Unsubscribe: send mail to majordomo@FreeBSD.org
> RS> with "unsubscribe freebsd-security" in the body of the message
>
>
>
>
> ;-------------------------------------------
> ; NKritsky
> ; SysAdmin InternetHelp.Ru
> ; http://www.internethelp.ru
> ; mailto:nkritsky@internethelp.ru
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

Claude Buisson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message