From owner-freebsd-questions Sun Aug 5 11:31:43 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id 64DC137B401 for ; Sun, 5 Aug 2001 11:31:39 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 79142 invoked by uid 100); 5 Aug 2001 18:31:38 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15213.37130.443656.153817@guru.mired.org> Date: Sun, 5 Aug 2001 13:31:38 -0500 To: Kent Stewart Cc: Louis LeBlanc , questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? In-Reply-To: <3B6D8955.7B346069@urx.com> References: <15213.29533.375904.18788@guru.mired.org> <3B6D8955.7B346069@urx.com> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kent Stewart types: > Mike Meyer wrote: > > What scares me is the possibilitity of near-exponential growth of the > > thing. I've put up a plot of hits/hour since it started - at about 9am > > CDT - to now at . Discount the > > last data point - it only includes about 15 minutes of hits. The large > > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > > and fallen back to ~15/hour. I can understand the levelling out as the > > population of suspect servers approaches saturation, but why is did it > > drop off? Or is the spike just random noise? > Your hit rate is much greater than mine. My complete list of error log > messages are on http://dsl1-160.dynacom.net/code_red.html. The complete > list is only 4 screens of text. That's strange. More commentary on this later. > I am also seeing a mutation. The first error log message was the typical > one but yesterday, the second one also started showing up. There are at least two versions of this worm running around. One defaces the web pages, one doesn't. There are also differences in the random number generators used, the earlier ones using the same PRNG and seed, meaning they'll probe the same list of IP addresses. > [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ > Client sent malformed Host header > [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ > File does not exist: /usr/local/www/data/default.ida I hadn't been counting the first one - it's not mentioned in any of the writeups I saw. I've also got some during the period when code red is supposedly quiescent. While those are likely to be infected hosts with misset clocks, I'm going to leave it as is because 1) I'm more interested in trends than in total numbers, and 2) the totals seem to be at most 4/hour, meaning they are for the most part lost in the noise. One possible explanation for the discrepancy we're seeing in counts is that you somehow overlooked the initial ones that didn't have a malformed host header. Another is that those without a malformed host header are the older worm, and I'm much lower on that fixed list of IP addresses than you are. That doesn't seem likely, as I didn't see any of those until August. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message