From owner-freebsd-questions  Sat Aug  4 10:47:28 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74])
	by hub.freebsd.org (Postfix) with ESMTP id 4E6CF37B401
	for <questions@FreeBSD.ORG>; Sat,  4 Aug 2001 10:47:25 -0700 (PDT)
	(envelope-from B-Morgan@concentric.net)
Received: from cos80474 (cpe-24-221-198-127.co.sprintbbd.net [24.221.198.127])
	by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id KAA07212
	for <questions@FreeBSD.ORG>; Sat, 4 Aug 2001 10:47:24 -0700 (PDT)
From: "Brad Morgan" <B-Morgan@concentric.net>
Cc: <questions@FreeBSD.ORG>
Subject: RE: Attempted Buffer Overrun in via httpd? 
Date: Sat, 4 Aug 2001 11:47:23 -0600
Message-ID: <NABBJOOEOFODEALNMJAJOEBOEDAA.B-Morgan@concentric.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <E15T5RI-000B0V-00@jdl.com>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I'm seeing the same thing.  If its Code Red, it looks like it took a few
days to get rolling.

-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jon Loeliger
Sent: Saturday, August 04, 2001 11:42 AM
To: Fernando Gleiser
Cc: questions@FreeBSD.ORG
Subject: Re: Attempted Buffer Overrun in via httpd?


So, like Fernando Gleiser was saying to me just the other day:
>
> It smells like code red. It is a worm which tries to exploit a
vulnerability
> in M$ IIS.

Ah!  Duh.  Wait, I'm catching up here...  What's the current virus
knocking on everyone's door?  Oh yeah, _I_ remember now!  Code Red.

> Apache (AFAIK) is not vulnerable.

Excellent.

> The request comes from an infected machine, maybe you want to inform the
> webmaster about this.

Heh.  If I were to do that, I'd do _nothing_ else!  I have hundreds
of them, and they are mostly from various dial-up looking DNS names.

Ugh.


Thanks for the info!,
jdl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message