From owner-freebsd-questions Sat Aug 4 18:28:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls05.mediaone.net (chmls05.mediaone.net [24.147.1.143]) by hub.freebsd.org (Postfix) with ESMTP id 0264037B401 for ; Sat, 4 Aug 2001 18:28:21 -0700 (PDT) (envelope-from leblanc@smtp.ne.mediaone.net) Received: from canada.acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189]) by chmls05.mediaone.net (8.11.1/8.11.1) with ESMTP id f751SJc25150 for ; Sat, 4 Aug 2001 21:28:19 -0400 (EDT) Received: (from leblanc@localhost) by canada.acadia.ne.mediaone.net (8.11.5/8.11.5) id f751O5d30832; Sat, 4 Aug 2001 21:24:05 -0400 (EDT) (envelope-from leblanc) Date: Sat, 4 Aug 2001 21:24:05 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <20010804212404.B30510@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20010804201849.A30510@acadia.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.3.20i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Of course, but for each miss, I end up with a message in my inbox notifying me of a 404 encountered on my site. It doesn't happen often, once in a while someone requests favicon.ico, which is probably someone trying an innocuous test to see if I am running a server and which one. From time to time, I get a request that looks like this: http://acadia.ne.mediaone.net/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir Usually, I notify the abuse authorities or the webmaster. Usually turns out to be another worm on their server. Anyway, I put a 404.php script in a while back to let me know if others were linking my site (not much to link, really) and ending up with dead links. Mostly I thought it was a cool thing to do. Anyway, this php script used to be pretty basic and just announced to the recipient that the url they requested would be sent to the webmaster and I would investigate. After I realized 80% of these were some sort of hack attempt, I also put a notice that I would also notify the appropriate abuse authorities if it appeared they were attempting to exploit my system. The attempts stopped for over 2 weeks until code red hit the networks. Anyway, that's the rub. Seems this code red isn't just a worm, it's a network virus, because of the traffic it's generating. If a piddly server like mine gets a hundred hits in the course of 6 hours, what's it doing to the big sites right now? And what is the effect on general network connectivity? Seems the whole net must be bogged down. I know my response times, even to freebsd.org, are down noticably. Even connectivity to mail systems seems much slower. Is this stupid worm hitting mail servers too? Maybe I'm full of crap, but that's my 2 pennies. Lou On 08/04/01 08:31 PM, Rob Flash sat at the `puter and typed: > Thats just someone infected with the code red worm scanning you. I have > 1000's of those in my logs, no big deal... doesn't affect apache in anyway > I've seen. > > -Rob > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Bureaucrat, n.: A person who cuts red tape sideways. -- J. McCabe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message