Date: Sat, 4 Aug 2001 10:53:47 -0700 From: Gary Kline <kline@tao.thought.org> To: Gavin Atkinson <gavin@ury.york.ac.uk> Cc: Jon Loeliger <jdl@jdl.com>, questions@FreeBSD.ORG Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <20010804105347.B9601@tao.thought.org> In-Reply-To: <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>; from gavin@ury.york.ac.uk on Sat, Aug 04, 2001 at 06:26:13PM %2B0100 References: <E15T58n-000Ayh-00@jdl.com> <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 04, 2001 at 06:26:13PM +0100, Gavin Atkinson wrote: > On Sat, 4 Aug 2001, Jon Loeliger wrote: > > > I see a large number of httpd requests that look like this: > > > > 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= > > a HTTP/1.0" 400 316 "-" "-" > > > > in my httpd access logs. This just smells like an attemtped buffer > > over run exploit at work. > > Looks like it to me as well - i believe it is the code red worm trying to > spread. I've had 106 of these and counting since 19th July. It only > affects unpatched microsoft IIS. > > > Anyone recognize it and know anything about it? Should I be worried? > > I'm running a current (right out of Ports) Apache here. > > Long live Apache! > Likewise, I noticed this strange GET pattern weeks ago in my httpd-access logs and assumed that it was a M$ web attack. Also glad for the Nth time to be running this open source (Berkeley) Unix. Anything open source beats closed by a league and is as close to bullet-proof as possible. And keeps getting closer. -- Gary D. Kline kline@thought.org www.thought.org Public service Unix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010804105347.B9601>