From owner-freebsd-questions Sat Aug 4 17:33:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from bobflash.com (cc744631-a.srst1.fl.home.com [24.3.123.29]) by hub.freebsd.org (Postfix) with ESMTP id 9B10637B401 for ; Sat, 4 Aug 2001 17:33:11 -0700 (PDT) (envelope-from rob@bobflash.com) Received: from vbbob (g0d0r.bobflash [192.168.1.101]) by bobflash.com (8.11.4/8.11.3) with SMTP id f74KU0H14448 for ; Sat, 4 Aug 2001 20:30:01 GMT (envelope-from rob@bobflash.com) From: "Rob Flash" To: Subject: RE: Attempted Buffer Overrun in via httpd? Date: Sat, 4 Aug 2001 20:31:59 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 In-Reply-To: <20010804201849.A30510@acadia.ne.mediaone.net> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thats just someone infected with the code red worm scanning you. I have 1000's of those in my logs, no big deal... doesn't affect apache in anyway I've seen. -Rob -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Louis LeBlanc Sent: Saturday, August 04, 2001 8:19 PM To: questions@FreeBSD.ORG Subject: Re: Attempted Buffer Overrun in via httpd? I got about 100 of these sent to my webmaster account as 404 warnings before deciding to just block ports 80 and 443 for now. It's gotten to be a pain in the ass. Looks like M$ bugs us *nix enthusiasts even if we avoid them altogether :( Check out the message I've attached, it shows pretty much the same request. I'm afraid to look at all the port 80 denials I'll be showing in my logs now! Lou On 08/04/01 12:23 PM, Jon Loeliger sat at the `puter and typed: > Folks, > > I see a large number of httpd requests that look like this: > > 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= > a HTTP/1.0" 400 316 "-" "-" > > in my httpd access logs. This just smells like an attemtped buffer > over run exploit at work. > > Anyone recognize it and know anything about it? Should I be worried? > I'm running a current (right out of Ports) Apache here. > > Thanks, > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ management, n.: The art of getting other people to do all the work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message