Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 4 Aug 2001 10:53:47 -0700
From:      Gary Kline <kline@tao.thought.org>
To:        Gavin Atkinson <gavin@ury.york.ac.uk>
Cc:        Jon Loeliger <jdl@jdl.com>, questions@FreeBSD.ORG
Subject:   Re: Attempted Buffer Overrun in via httpd?
Message-ID:  <20010804105347.B9601@tao.thought.org>
In-Reply-To: <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>; from gavin@ury.york.ac.uk on Sat, Aug 04, 2001 at 06:26:13PM %2B0100
References:  <E15T58n-000Ayh-00@jdl.com> <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Aug 04, 2001 at 06:26:13PM +0100, Gavin Atkinson wrote:
> On Sat, 4 Aug 2001, Jon Loeliger wrote:
> 
> > I see a large number of httpd requests that look like this:
> >
> >     211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
> >     %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> >     a  HTTP/1.0" 400 316 "-" "-"
> >
> > in my httpd access logs.  This just smells like an attemtped buffer
> > over run exploit at work.
> 
> Looks like it to me as well - i believe it is the code red worm trying to
> spread. I've had 106 of these and counting since 19th July. It only
> affects unpatched microsoft IIS.
> 
> > Anyone recognize it and know anything about it?  Should I be worried?
> > I'm running a current (right out of Ports) Apache here.
> 
> Long live Apache!
> 
	
	Likewise, I noticed this strange GET pattern weeks ago in my
	httpd-access logs and assumed that it was a M$ web attack.
	Also glad for the Nth time to be running this open source
	(Berkeley) Unix.  Anything open source beats closed by a 
	league and is as close to bullet-proof as possible.  And keeps
	getting closer.

-- 
   Gary D. Kline    kline@thought.org  www.thought.org    Public service Unix


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010804105347.B9601>