Date: Sun, 05 Aug 2001 10:58:45 -0700 From: Kent Stewart <kstewart@urx.com> To: Mike Meyer <mwm@mired.org> Cc: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>, questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <3B6D8955.7B346069@urx.com> References: <15213.29533.375904.18788@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Meyer wrote: > > Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> types: > > Of course, but for each miss, I end up with a message in my inbox > > notifying me of a 404 encountered on my site. It doesn't happen > > often, once in a while someone requests favicon.ico, which is probably > > someone trying an innocuous test to see if I am running a server and > > which one. > > favicon.ico is IE - and any browser that has picked this up as well - > asking for an icon to use for pages on your site/in that > directory. You can provide one yourself if you want; I use a beastie > for mine. I think I added the one you introduced to fbsd onto my site. > > > Anyway, that's the rub. Seems this code red isn't just a worm, it's a > > network virus, because of the traffic it's generating. If a piddly > > server like mine gets a hundred hits in the course of 6 hours, what's > > it doing to the big sites right now? And what is the effect on > > general network connectivity? Seems the whole net must be bogged > > down. I know my response times, even to freebsd.org, are down > > noticably. > > Since it picks IP addresses at random, any given IP address should see > the same number of hits. Depending on the nature of the RNG used, > some sites may be immune. Sites running on server farms with lots of > IP addresses will see the same number of hits per IP as those of us on > single sites, but the total will be proportionately greater. > > What scares me is the possibilitity of near-exponential growth of the > thing. I've put up a plot of hits/hour since it started - at about 9am > CDT - to now at <URL: http://www.mired.org/codered.ps >. Discount the > last data point - it only includes about 15 minutes of hits. The large > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > and fallen back to ~15/hour. I can understand the levelling out as the > population of suspect servers approaches saturation, but why is did it > drop off? Or is the spike just random noise? Your hit rate is much greater than mine. My complete list of error log messages are on http://dsl1-160.dynacom.net/code_red.html. The complete list is only 4 screens of text. I am also seeing a mutation. The first error log message was the typical one but yesterday, the second one also started showing up. [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ Client sent malformed Host header [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ File does not exist: /usr/local/www/data/default.ida Kent > > > Even connectivity to mail systems seems much slower. Is this stupid > > worm hitting mail servers too? > > Nope. > > <mike -- Kent Stewart Richland, WA Cool site http://www.bmwfilms.com mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B6D8955.7B346069>