Date: Sat, 4 Aug 2001 18:26:13 +0100 (BST) From: Gavin Atkinson <gavin@ury.york.ac.uk> To: Jon Loeliger <jdl@jdl.com> Cc: <questions@FreeBSD.ORG> Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk> In-Reply-To: <E15T58n-000Ayh-00@jdl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Aug 2001, Jon Loeliger wrote:
> I see a large number of httpd requests that look like this:
>
> 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
> %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> a HTTP/1.0" 400 316 "-" "-"
>
> in my httpd access logs. This just smells like an attemtped buffer
> over run exploit at work.
Looks like it to me as well - i believe it is the code red worm trying to
spread. I've had 106 of these and counting since 19th July. It only
affects unpatched microsoft IIS.
> Anyone recognize it and know anything about it? Should I be worried?
> I'm running a current (right out of Ports) Apache here.
Long live Apache!
Gavin
--
"Experience is directly proportional to the value of equipment destroyed."
-- Carolyn Scheppner
- - Gavin Atkinson - Head Of Computing - University Radio York - -
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0108041824070.69628-100000>