From owner-freebsd-security Thu Mar 7 22: 3:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id C239D37B400 for ; Thu, 7 Mar 2002 22:03:46 -0800 (PST) Received: from boredom (dickie.ST.HMC.Edu [134.173.59.94]) by odin.ac.hmc.edu (8.11.0/8.11.0) with SMTP id g2863k829023; Thu, 7 Mar 2002 22:03:46 -0800 Message-ID: <000401c1c666$e87b19b0$5e3bad86@boredom> From: "Jeff Jirsa" To: "krzysztof Strzelczyk" , References: <20020308055639.62629.qmail@web14805.mail.yahoo.com> Subject: Re: Code Red?? Date: Thu, 7 Mar 2002 22:03:03 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hello, > > I've been going through docs and all signs > indicate that this is a system infected with code red. Heh, no. > [Fri Mar 8 00:00:50 2002] [error] [client > 195.218.232.26] File does not exist: > /usr/local/www/data/default.ida > [Fri Mar 8 00:06:47 2002] [error] [client > 217.128.238.66] File does not exist: > /usr/local/www/data/default.ida > [Fri Mar 8 00:09:46 2002] [error] [client > 24.61.208.188] File does not exist: > /usr/local/www/data/default.ida > [Fri Mar 8 00:17:40 2002] [error] [client > 61.132.208.81] File does not exist: > /usr/local/www/data/default.ida > [Fri Mar 8 00:26:55 2002] [notice] caught SIGTERM, > shutting down > > If so, does anybody know how to break this down? You're slightly misled. The default.ida scans are probably looking for a vulnerable IIS server, but apache certainly isn't vulerable. It happens almost daily, to everyone (Its happened 73 times to me, since my logs were rotated last): # ~ : grep default.ida /usr/local/etc/apache/logs/httpd-access-log | wc -l 73 The message you're seeing is apache not finding the file default.ida (it would return 404 to the client). It's nothing to be worried about (annoyed, irritated, maybe, but not worried). I'm assuming the term signal was something unrelated, like a planned shutdown. - Jeff Jirsa jjirsa@hmc.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message