From owner-freebsd-questions Sat Aug 4 10:30:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 3C3E037B401 for ; Sat, 4 Aug 2001 10:30:07 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f74HRbY94095; Sat, 4 Aug 2001 14:27:37 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Sat, 4 Aug 2001 14:27:37 -0300 (ART) From: Fernando Gleiser To: Jon Loeliger Cc: Subject: Re: Attempted Buffer Overrun in via httpd? In-Reply-To: Message-ID: <20010804142321.X91592-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 4 Aug 2001, Jon Loeliger wrote: > Folks, > > I see a large number of httpd requests that look like this: > > 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= > a HTTP/1.0" 400 316 "-" "-" > > in my httpd access logs. This just smells like an attemtped buffer > over run exploit at work. It smells like code red. It is a worm which tries to exploit a vulnerability in M$ IIS. Apache (AFAIK) is not vulnerable. The request comes from an infected machine, maybe you want to inform the webmaster about this. Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message