From owner-freebsd-security Sat Jul 21 14:17:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id 8A04437B408 for ; Sat, 21 Jul 2001 14:17:31 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id XAA17911; Sat, 21 Jul 2001 23:17:28 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f6LLHRo20420; Sat, 21 Jul 2001 23:17:27 +0200 (CEST) (envelope-from wkb) Date: Sat, 21 Jul 2001 23:17:27 +0200 From: Wilko Bulte To: nathan@salvation.unixgeeks.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible? Message-ID: <20010721231727.A20401@freebie.xs4all.nl> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 08:49:42PM -0000 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 21, 2001 at 08:49:42PM -0000, nathan@salvation.unixgeeks.com wrote: **SIGH** This is an attack destined for M$'s IIS, not for Apache. Please see the Internet, half of the traffic it carries is (about) this bloody attack. Wilko > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. > > thanks in advance, > nathan. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---end of quoted text--- -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte "Youth is not a time in life, it is a state of mind" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message