From owner-freebsd-questions  Sat Aug  4 10:54:10 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from tao.thought.org (sense-kline-249.oz.net [216.39.168.249])
	by hub.freebsd.org (Postfix) with ESMTP id 1328137B403
	for <questions@FreeBSD.ORG>; Sat,  4 Aug 2001 10:53:59 -0700 (PDT)
	(envelope-from kline@tao.thought.org)
Received: (from kline@localhost)
	by tao.thought.org (8.11.3/8.11.0) id f74Hrmq09843;
	Sat, 4 Aug 2001 10:53:48 -0700 (PDT)
	(envelope-from kline)
Date: Sat, 4 Aug 2001 10:53:47 -0700
From: Gary Kline <kline@tao.thought.org>
To: Gavin Atkinson <gavin@ury.york.ac.uk>
Cc: Jon Loeliger <jdl@jdl.com>, questions@FreeBSD.ORG
Subject: Re: Attempted Buffer Overrun in via httpd?
Message-ID: <20010804105347.B9601@tao.thought.org>
References: <E15T58n-000Ayh-00@jdl.com> <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.BSF.4.33.0108041824070.69628-100000@ury.york.ac.uk>; from gavin@ury.york.ac.uk on Sat, Aug 04, 2001 at 06:26:13PM +0100
X-Organization: Thought Unlimited. Public service Unix since 1986.
X-Of_Interest: Observing 15 years of service to the Unix community
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, Aug 04, 2001 at 06:26:13PM +0100, Gavin Atkinson wrote:
> On Sat, 4 Aug 2001, Jon Loeliger wrote:
> 
> > I see a large number of httpd requests that look like this:
> >
> >     211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >     NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
> >     %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> >     a  HTTP/1.0" 400 316 "-" "-"
> >
> > in my httpd access logs.  This just smells like an attemtped buffer
> > over run exploit at work.
> 
> Looks like it to me as well - i believe it is the code red worm trying to
> spread. I've had 106 of these and counting since 19th July. It only
> affects unpatched microsoft IIS.
> 
> > Anyone recognize it and know anything about it?  Should I be worried?
> > I'm running a current (right out of Ports) Apache here.
> 
> Long live Apache!
> 
	
	Likewise, I noticed this strange GET pattern weeks ago in my
	httpd-access logs and assumed that it was a M$ web attack.
	Also glad for the Nth time to be running this open source
	(Berkeley) Unix.  Anything open source beats closed by a 
	league and is as close to bullet-proof as possible.  And keeps
	getting closer.

-- 
   Gary D. Kline    kline@thought.org  www.thought.org    Public service Unix


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message