From owner-freebsd-questions  Thu Aug  9 19:13:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
	by hub.freebsd.org (Postfix) with ESMTP id 13B4037B491
	for <questions@FreeBSD.ORG>; Thu,  9 Aug 2001 19:13:05 -0700 (PDT)
	(envelope-from durham@w2xo.pgh.pa.us)
Received: from localhost (localhost [127.0.0.1])
	by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f7A2LXm90297;
	Thu, 9 Aug 2001 22:21:33 -0400 (EDT)
	(envelope-from durham@w2xo.pgh.pa.us)
Date: Thu, 9 Aug 2001 22:21:33 -0400 (EDT)
From: Jim Durham <durham@w2xo.pgh.pa.us>
To: Jon Loeliger <jdl@jdl.com>
Cc: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>,
	questions@FreeBSD.ORG
Subject: Re: Attempted Buffer Overrun in via httpd? 
In-Reply-To: <E15T5RI-000B0V-00@jdl.com>
Message-ID: <Pine.BSF.4.21.0108092217420.89859-100000@w2xo.pgh.pa.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, 4 Aug 2001, Jon Loeliger wrote:

> So, like Fernando Gleiser was saying to me just the other day:
> > 
> > It smells like code red. It is a worm which tries to exploit a vulnerability
> > in M$ IIS.
> 
> Ah!  Duh.  Wait, I'm catching up here...  What's the current virus
> knocking on everyone's door?  Oh yeah, _I_ remember now!  Code Red.
> 
> > Apache (AFAIK) is not vulnerable.
> 
> Excellent.
> 
> > The request comes from an infected machine, maybe you want to inform the
> > webmaster about this.
> 
> Heh.  If I were to do that, I'd do _nothing_ else!  I have hundreds
> of them, and they are mostly from various dial-up looking DNS names.
> 

I actually attempted some connections to these ips using
"http:// and the IP number and, without fail, they were all
"Under Construction".

I think the great majority of these infected servers are on NT
boxes where the owner checked the little box that said "Install
the Web Server" and then forgot about it. I was wondering how,
after months of warnings and media exposure that *anyone* could
have an unpatched web server, but I think this is the reason.

Good Grief...

-Jim Durham
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message