From owner-freebsd-questions  Sat Aug  4 10:26:23 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from pump3.york.ac.uk (pump3.york.ac.uk [144.32.128.131])
	by hub.freebsd.org (Postfix) with ESMTP id 3430337B403
	for <questions@FreeBSD.ORG>; Sat,  4 Aug 2001 10:26:20 -0700 (PDT)
	(envelope-from gavin.atkinson@ury.york.ac.uk)
Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81])
	by pump3.york.ac.uk (8.10.2/8.10.2) with ESMTP id f74HQE809479;
	Sat, 4 Aug 2001 18:26:14 +0100 (BST)
Received: from localhost (gavin@localhost)
	by ury.york.ac.uk (8.11.3/8.11.3) with ESMTP id f74HQDu69987;
	Sat, 4 Aug 2001 18:26:14 +0100 (BST)
	(envelope-from gavin.atkinson@ury.york.ac.uk)
X-Authentication-Warning: ury.york.ac.uk: gavin owned process doing -bs
Date: Sat, 4 Aug 2001 18:26:13 +0100 (BST)
From: Gavin Atkinson <gavin@ury.york.ac.uk>
To: Jon Loeliger <jdl@jdl.com>
Cc: <questions@FreeBSD.ORG>
Subject: Re: Attempted Buffer Overrun in via httpd?
In-Reply-To: <E15T58n-000Ayh-00@jdl.com>
Message-ID: <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, 4 Aug 2001, Jon Loeliger wrote:

> I see a large number of httpd requests that look like this:
>
>     211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN
>     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>     NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
>     %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
>     a  HTTP/1.0" 400 316 "-" "-"
>
> in my httpd access logs.  This just smells like an attemtped buffer
> over run exploit at work.

Looks like it to me as well - i believe it is the code red worm trying to
spread. I've had 106 of these and counting since 19th July. It only
affects unpatched microsoft IIS.

> Anyone recognize it and know anything about it?  Should I be worried?
> I'm running a current (right out of Ports) Apache here.

Long live Apache!

Gavin

--
"Experience is directly proportional to the value of equipment destroyed."
                                                     -- Carolyn Scheppner
 - - Gavin Atkinson  -  Head Of Computing  -  University Radio York - -




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message