Date: Sun, 05 Aug 2001 12:04:20 -0700 From: Kent Stewart <kstewart@urx.com> To: Mike Meyer <mwm@mired.org> Cc: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>, questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <3B6D98B4.C7ABE142@urx.com> References: <15213.29533.375904.18788@guru.mired.org> <3B6D8955.7B346069@urx.com> <15213.37130.443656.153817@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Meyer wrote: > > Kent Stewart <kstewart@urx.com> types: > > Mike Meyer wrote: > > > What scares me is the possibilitity of near-exponential growth of the > > > thing. I've put up a plot of hits/hour since it started - at about 9am > > > CDT - to now at <URL: http://www.mired.org/codered.ps >. Discount the > > > last data point - it only includes about 15 minutes of hits. The large > > > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > > > and fallen back to ~15/hour. I can understand the levelling out as the > > > population of suspect servers approaches saturation, but why is did it > > > drop off? Or is the spike just random noise? > > Your hit rate is much greater than mine. My complete list of error log > > messages are on http://dsl1-160.dynacom.net/code_red.html. The complete > > list is only 4 screens of text. > > That's strange. More commentary on this later. > > > I am also seeing a mutation. The first error log message was the typical > > one but yesterday, the second one also started showing up. > > There are at least two versions of this worm running around. One > defaces the web pages, one doesn't. There are also differences in the > random number generators used, the earlier ones using the same PRNG > and seed, meaning they'll probe the same list of IP addresses. > > > [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ > > Client sent malformed Host header > > [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ > > File does not exist: /usr/local/www/data/default.ida > > I hadn't been counting the first one - it's not mentioned in any of > the writeups I saw. I've also got some during the period when code red > is supposedly quiescent. While those are likely to be infected hosts > with misset clocks, I'm going to leave it as is because 1) I'm more > interested in trends than in total numbers, and 2) the totals seem to > be at most 4/hour, meaning they are for the most part lost in the > noise. > > One possible explanation for the discrepancy we're seeing in counts is > that you somehow overlooked the initial ones that didn't have a > malformed host header. Another is that those without a malformed host > header are the older worm, and I'm much lower on that fixed list of IP > addresses than you are. That doesn't seem likely, as I didn't see any > of those until August. Hmmm, strange. I saw 21 malformed Host requests on 19 Jul and nothing else. The list is all of the error messages since 1 August. Apache's access.log also shows the malformed request that generated the error message. The first error message on 19 July was from Taiwan site. The first message on 1 August was from a Chinese site. Kent -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B6D98B4.C7ABE142>