From owner-freebsd-security Mon Jul 23 10: 8:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 50D7E37B408 for ; Mon, 23 Jul 2001 10:08:22 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 12349 invoked by uid 1001); 23 Jul 2001 17:15:29 -0000 Message-ID: <20010723171529.12348.qmail@d170h113.resnet.uconn.edu> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> <20010721145417.A86996@networkcommand.com> In-Reply-To: <20010721145417.A86996@networkcommand.com> From: "Peter C. Lai" To: "jono@networkcommand.com" Cc: nathan@salvation.unixgeeks.com, freebsd-security@FreeBSD.ORG Subject: Re: Reinfection phase Re: possible? Date: Mon, 23 Jul 2001 17:15:28 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org my apache logs also show a crapload of "Malformed Headers" from the same IP blocks which i suspect is from code red attempts. Jon O . writes: > > I justed wanted to make sure everyone was aware that Code Red is supposed > to restart its infection phase on 8.01.01. > > www.eeye.com has a good write up on this and the rest of the worm. > > Watch out for their scanner tool though, it's a windows binary and there > is no source... > > > > > > On 21-Jul-2001, nathan@salvation.unixgeeks.com wrote: >> >> okay, today i checked my apache logs this is what i got: >> >> 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u >> 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 >> 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 >> >> this same exact get request came from several different address as well. such >> as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any >> remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. >> >> thanks in advance, >> nathan. >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message