From owner-freebsd-security Sat Jul 21 14:19:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from unix-shells.com (handi4-145-253-158-092.arcor-ip.net [145.253.158.92]) by hub.freebsd.org (Postfix) with ESMTP id C0D9F37B406 for ; Sat, 21 Jul 2001 14:19:29 -0700 (PDT) (envelope-from bjoern@loenneker.com) Received: from mobile (root@localhost [127.0.0.1]) (authenticated) by unix-shells.com (8.11.4/8.11.4) with ESMTP id f6LLJNV60416; Sat, 21 Jul 2001 23:19:24 +0200 (CEST) (envelope-from bjoern@loenneker.com) From: =?iso-8859-1?Q?Bj=F6rn_L=F6nneker?= To: , Subject: RE: possible? Date: Sat, 21 Jul 2001 23:19:20 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nathan, an IIS server compromised by "Code Red Worm" tried to attack you. You are quite safe because only IIS servers are vulnerable to this attack. -- bjoern -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of nathan@salvation.unixgeeks.com Sent: Saturday, July 21, 2001 10:50 PM To: freebsd-security@FreeBSD.ORG Subject: possible? okay, today i checked my apache logs this is what i got: 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u90 90%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00 %u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 this same exact get request came from several different address as well. such as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. thanks in advance, nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message