From owner-freebsd-questions Sun Aug 5 12: 4:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.urx.com (mail.urx.com [63.170.19.36]) by hub.freebsd.org (Postfix) with ESMTP id 007EF37B401 for ; Sun, 5 Aug 2001 12:04:23 -0700 (PDT) (envelope-from kstewart@urx.com) Received: from urx.com [206.159.132.160] by mail.urx.com with ESMTP (SMTPD32-6.06) id A8B470302A8; Sun, 05 Aug 2001 12:04:20 -0700 Message-ID: <3B6D98B4.C7ABE142@urx.com> Date: Sun, 05 Aug 2001 12:04:20 -0700 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Meyer Cc: Louis LeBlanc , questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? References: <15213.29533.375904.18788@guru.mired.org> <3B6D8955.7B346069@urx.com> <15213.37130.443656.153817@guru.mired.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mike Meyer wrote: > > Kent Stewart types: > > Mike Meyer wrote: > > > What scares me is the possibilitity of near-exponential growth of the > > > thing. I've put up a plot of hits/hour since it started - at about 9am > > > CDT - to now at . Discount the > > > last data point - it only includes about 15 minutes of hits. The large > > > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > > > and fallen back to ~15/hour. I can understand the levelling out as the > > > population of suspect servers approaches saturation, but why is did it > > > drop off? Or is the spike just random noise? > > Your hit rate is much greater than mine. My complete list of error log > > messages are on http://dsl1-160.dynacom.net/code_red.html. The complete > > list is only 4 screens of text. > > That's strange. More commentary on this later. > > > I am also seeing a mutation. The first error log message was the typical > > one but yesterday, the second one also started showing up. > > There are at least two versions of this worm running around. One > defaces the web pages, one doesn't. There are also differences in the > random number generators used, the earlier ones using the same PRNG > and seed, meaning they'll probe the same list of IP addresses. > > > [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ > > Client sent malformed Host header > > [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ > > File does not exist: /usr/local/www/data/default.ida > > I hadn't been counting the first one - it's not mentioned in any of > the writeups I saw. I've also got some during the period when code red > is supposedly quiescent. While those are likely to be infected hosts > with misset clocks, I'm going to leave it as is because 1) I'm more > interested in trends than in total numbers, and 2) the totals seem to > be at most 4/hour, meaning they are for the most part lost in the > noise. > > One possible explanation for the discrepancy we're seeing in counts is > that you somehow overlooked the initial ones that didn't have a > malformed host header. Another is that those without a malformed host > header are the older worm, and I'm much lower on that fixed list of IP > addresses than you are. That doesn't seem likely, as I didn't see any > of those until August. Hmmm, strange. I saw 21 malformed Host requests on 19 Jul and nothing else. The list is all of the error messages since 1 August. Apache's access.log also shows the malformed request that generated the error message. The first error message on 19 July was from Taiwan site. The first message on 1 August was from a Chinese site. Kent -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message